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Abstract 

The overall goal of this paper is to investigate the theoretical foundations of algorithmic 
verification techniques for first order linear logic specifications. The fragment of linear 
logic we consider in this paper is based on the linear logic programming language called 
LO (lAndreol i and Pareschi 1990t enriched with universally quantified goal formulas. Al- 
though LO was originally introduced as a theoretical foundation for extensions of logic 
programming languages, it can also be viewed as a very general language to specify a wide 
range of infinite-state concurrent systems lAndreoli 19921 ICervesato 1995t . 

Our approach is based on the relation between backward reachability and provability 
highlighted in our previous work on propositional LO programs ijBozzano et al. 2002^ . 
Following this line of research, we define here a general framework for the bottom-up eval- 
uation of Erst order linear logic specifications. The evaluation procedure is based on an 
effective fixpoint operator working on a symbolic representation of infinite collections of 
first order linear logic formulas. The theory of well quasi-orderings lAbduUa et al. 19961 
IFinkel and Schnoebelen 200111 can be used to provide sufficient conditions for the termi- 
nation of the evaluation of non trivial fragments of first order linear logic. 

KEYWORDS: Linear logic, fixpoint semantics, bottom-up evaluation 



1 Introduction 

The algorithmic techniques for the analysis of Petri Nets are based on very well con- 
solidated theoretical foundations ( |Esparza and Melzer 2000||Karp and Miller 1969| 
|Mayr 1984||Esparza et al. 1999|IFinkel 1993llSilva et al. 199811 . However, several in- 
teresting problems, e.g., the coverabi7ity problem, become undecidable when consid- 
ering specification languages more expressive than basic Petri Nets. In this setting, 
validation of complex specifications is often performed through simulation and test- 
ing, i.e., by "executing" the specification looking for design errors, e.g., as in the 
methodology based on the construction of the reachability graph of Colored Petri 
Nets ijJensen 1997|l . In order to study algorithmic techniques for the analysis of a 
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vast range of concurrency models it is important to find a uniform framework to 
reason about their characteristic features. 

In our approach we will adopt linear logic IjGirard 1987|l as a unified logical frame- 
work for concurrency. Linear logic provides a logical characterization of concepts 
and mechanisms peculiar of concurrency like locality, recursion, and nan determi- 
nism in the definition of a process IjAndreoli and Pareschi 199 0; Kobayashi and Yonezawa 19951 
Marti'-Oliet and M cscgucr 1991| ); communication via synchronization and value pass- 
ing fCervesato 1995 Miller 1993); internal state and updates to its current value 
l|Andreoli and Pareschi 199 0: Miller 1996|l : and generation of fresh names IjCervesato et al. 19991 
IMiller 1993|l . Provability in fragments of linear logic can be used as a formal tool 
to reason about behavioral aspects of the concurrent systems IjBozzano et al. 20021 
IMcDowell et al. 1996|l . 

The overall goal of this paper is to investigate the theoretical foundations of al- 
gorithmic verification techniques for specifications based on Rrst order linear logic. 
The fragment we consider in this paper is based on the linear logic programming 
language called LO IjAndreoli and Pareschi 1990|i) enriched with universally quanti- 
fied goal formulas. Apart from being a logic programming language, the appealing 
feature of LO is that it can also be viewed as a rich specification language for 
concurrent systems: 

• Specification languages like Petri Nets and multiset rewriting over first order 
atomic formulas can be naturally embedded into propositional LO (see, e.g., 
ifUervesato 19951 IBozzano et al. 2002|l ). 

• First order LO specifications can be used to specify the internal state of pro- 
cesses with structured data represented as terms, thus enlarging the class of 
systems that can be formally specified in the logic. In this context univer- 
sal quantification in goal formulas has several interesting interpretations: it 
can be viewed either as a sort of hiding operator in the style of 7r-calculus 
UMiller 1993|l , or as a mechanism to generate fresh names as in IjCervesato et al. 1999|l . 

Before discussing in more details the technical contributions of our work, we will 
briefly illustrate the connection between Petri Nets and linear logic, and between 
reachability and provability in the corresponding formal settings. The bridge be- 
tween the two paradigms is the proofs as computations interpretation of linear logic 
proposed in HAndreoh 1992|l and in UMiller 1996|l . 

Linear Logic and Concurrency A Petri Net can be represented by means of a 
multiset-rewriting system over a finite alphabet, say p,q,r,..., of place names. 
One possible way of expressing multiset rewrite rules in linear logic is based on the 
following idea. The connective ^ (multiplicative disjunction) is interpreted as a 
multiset constructor, whereas the connective o— (reversed linear implication) is in- 
terpreted as the rewrite relation. Both connectives are allowed in the LO fragment. 
For instance, as shown in IjCervesato 1995|l the LO clause 
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can be viewed as a Petri Net transition that removes a token from places p and q 
and puts two tokens in place p, one in q, and one in t. According to the proofs as 
computations interpretation IjAndreoli 1992|l . a top-down derivation in linear logic 
consists of a goal-directed sequence of rule applications. If we look at the initial 
goal as a multiset of atomic formulas (places) representing the initial marking of 
a Petri Net, then each application of an LO clause like the one illustrated above 
{backchaining in the terminology of IjAndreoli 1992|l ) simulates the firing of a Petri 
Net transition at the corresponding marking. Furthermore, the overall top-down 
derivation corresponds to one of the possible executions of the net, leading from 
the initial marking to one of the target states. 

Thanks to the presence of other connectives, LO supports more sophisticated 
mechanisms than the ones available in simple Petri Nets. For instance, in IjAndreoli and Pareschi 1990|l 
Andreoli and Pareschi use LO clauses with occurrences of ^ and & (additive con- 
junction) in their body to express what they called external and internal concur- 
rency. Additive conjunction can be used, in fact, to simulate independent threads 
of execution running in parallel. 

In our previous work IjBozzano et al. 2002|l . we made a first attempt to connect 
techniques used for the validation of Petri Nets with evaluation strategies of LO 
programs. Specifically, in IjBozzano et al. 2002)1 we defined an effective procedure 
to compute the set of linear logic goals (multisets of atomic formulas) that are 
consequences of a given propositional program, i.e., a "bottom- up" evaluation pro- 
cedure for propositional LO programs. Our construction is based on the backward 
reachability algorithm of IjAbduUa et al. 1996|l used to decide the so called control 
state reachability problem of Petri Nets (i.e., the problem of deciding if a given 
set of upward closed configurations are reachable from an initial one). The algo- 
rithm works as follows. Starting from a set of target states, the algorithm computes 
symbolically the transitive closure of the predecessor relation (i.e., the transition 
relation read backwards) of the Petri Net taken into consideration. The algorithm 
is used to check safety properties: if the algorithm is executed starting from the 
set of unsafe states, then the corresponding safety property holds if and only if the 
initial marking is not in the resulting fixpoint. 

In order to illustrate the connection between backward reachability for Petri Nets 
and provability in LO, we first observe that LO program clauses of the form 

p^q^q^T 

succeed in any context containing at least one occurrence of p and two occurrences 
of q. In other words they can be used to symbolically represent sets of markings that 
are closed upwards with respect to the multiset inclusion relation. Now, suppose 
we represent a Petri Net via an LO program P and the set of target states using 
a collection T of LO program clauses with T in the body. Then, the set of facts 
(i.e., multisets of atomic formulas) that are logical consequences of the LO program 
PUT will represent the set of markings that are backward reachable from the 
target states. 

The algorithm we presented in l|Bozzano et al. 2fl02|l is based on this idea, and it 
extends the backward reachability algorithm for Petri Nets of (,Abdulla et al. 1996|l 
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to the more general case of prepositional LO programs (i.e., with nested conjunctive 
and disjunctive goals). 

First Order Linear Logic By lifting the logic language to first order, the resulting 
specification language becomes much more interesting and flexible than basic Petri 
Nets. In the extended setting, the logic representation of processes can be enriched 
with a notion of internal state and with communication mechanisms in which values 
can be passed between different processes. As an example, the following LO clause 

idle( Y) ^ p{alice, wait, stored{ Y)) o— p{alice, use, stored{ Y)) 

can be interpreted as a transaction of a protocol during which the process named 
Alice (currently knowing Y) synchronizes with a monitor controlling the resource 
Y , checks that the monitor is idle and then enters the critical section in which she 
uses the resource Y . By instantiating the free variables occurring in such a rule, we 
obtain a family of transition rules that depend on the domain used to define the 
content of messages. In this setting the universal quantification in goal formulas 
can be used to generate fresh values, as in the following rule: 

init o— yx.idle{x) ^ init 

Intuitively, the demon process init creates new resources labeled with fresh identi- 
fiers. 

The above illustrated connection between provability and reachability immedi- 
ately gives us a well-founded manner of extending the algorithmic techniques used 
for the analysis of Petri Nets to the general case of first order linear logic specifica- 
tions. 

Our Contribution The conceptual and technical contributions of our work can be 
summarized as follows. 

(1) Combining ideas coming from the semantics of logic programming (jBossi et al. 19941 
IFalaschi et al. 1993|l and from symbolic model checking for infinite state sys- 
tems (jAbdulla et al. 19961 IFinkel and Schnoebelen 2001|l . in this paper we 
present the theoretical foundations for the definition of a procedure for the 
bottom-up evaluation of first order LO programs with universally quantified 
goals. By working in the general setting of linear logic, we obtain a framework 
that can be applied to other specification languages for concurrent systems like 
multiset rewriting over first order atomic formulas (|Cervesato et al. 1999|l . 
The bottom-up evaluation procedure can also be viewed as a fixpoint se- 
mantics that allows us to compute the set of all goals that are linear logical 
consequences of a given (extended) LO program. The fixpoint semantics is 
based on an effective fixpoint operator and on a symbolic and finite represen- 
tation of an infinite collection of first order provable LO goals. As previously 
mentioned, the possible infiniteness of the set of provable goals is due to LO 
program clauses with the constant T, which represent sets of goals which are 
upward-closed with respect to the multiset inclusion relation. The symbolic 
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representation is therefore crucial when trying to prove properties of infi- 
nite systems like parameterized systems, i.e., systems in which the number of 
individual processes is left as a parameter of the specification (e.g., mutual ex- 
clusion protocols for multi-agent systems (jBozzano 2002|l '). Intuitively, such a 
representation is obtained by restricting our attention to logical consequences 
represented via multisets of first order atomic formulas. As an example, the 
formula 

p{A, use, stored(X)) ^ p{B, use, stored{X)) o— T 

can be used to denote all multisets of ground atomic formulas containing an 
instance of the clause head. As the constant T is provable in any context, 
in the previous example we obtain a symbolic representation of the infinite 
set of unsafe states generated by the following minimal violation of mutual 
exclusion for a generic resource represented via the shared variable X: at least 
two different processes are in their critical section using a shared resource. 

(2) Besides the connection with verification of concurrent systems, the new fix- 
point semantics for first order LO programs represents an alternative to the 
traditional top-down execution of linear logic programs studied in the litera- 
ture IjAndreoli 19 92). Thus, also from the point-of-view of logic programming, 
we extend the applicability of our previous work IjBozzano et al. 2002|l (that 
was restricted to the propositional case) towards more interesting classes of 
linear logic programs. 

(3) The termination of the fixpoint computation cannot be guaranteed in general; 
first order LO programs are in fact Turing complete. However, we present here 
sufficient conditions under which we can compute a symbolic representation 
of all logical consequences of a non trivial first order fragment of LO with uni- 
versal quantification in goal formulas. As a direct consequence of this result, 
we obtain that provability is decidable in the considered fragment. To our 
knowledge, this result uncovers a new decidable fragment of first order lin- 
ear logic. The fragment taken into consideration is not only interesting from a 
theoretical point of view, but also as a possible abstract model for "processes" 
with identifiers or local values. 

Though the emphasis of this work is on the theoretical grounds of our method, 
we will illustrate the practical use of our framework with the help of a verification 
problem for a mutual exclusion protocol defined for a concurrent system which is 
parametric in the number of clients, resources, and related monitors. Other practical 
applications of this method are currently under investigation. Preliminary results 
in this direction are shown in the PhD thesis of Marco Bozzano IIBozzano 20021 . 

Finally, we remark that a very preliminary version of this work appeared in the 
proceedings of FLOPS 2001 IjBozzano et al. 2001|l . 

1 . 1 Outline of the Paper 

The terminology and some notations used in the paper are presented in Appendix 
[Appendix A| To improve the readability of the paper, the proofs of some lem- 
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mas are given in Appendix [Appendix B| In Section |21 we will discuss related 
works. In Section |3| we will recall the main definitions of the fragment LO of 
IjAndreoli and Pareschi 1990|l . presented here with universal quantification in goal 
formulas. In order to illustrate the use of LO as a specification logic for concurrent 
systems, in the same section we will briefly describe how multiset rewriting (ex- 
tended with quantification) can be embedded into LO. This connection represents 
a natural entry point into the world of concurrency. In fact, the relationship be- 
tween multiset rewriting, (Colored) Petri Nets, and process calculi has been exten- 
sively studied in the literature (see e.g., HC'ervesato 1995,..Farwer 1999.:.Farwer 20001 
IMeseguer 1992||Marti-01iet and Meseguer 1991| )). Finally, we will present an exam- 
ple of use of LO as a specification language for concurrent systems, and discuss the 
relationships between (bottom-up) LO provability and verification techniques based 
on (infinite-state) model checking. In Sectional we will introduce a non effective 
fixpoint semantics for linear logic programs. To simplify the manipulation of non 
ground terms, we will first lift the top-down (proof theoretical) semantics of LO to 
the non ground level, by introducing a new proof system in which sequents may have 
formulas with free variables. In Sectional we will introduce a general framework 
for the bottom-up evaluation of LO programs. The bottom-up procedure is based 
on a finite representation of infinite sets of logical consequences, and on an effective 
fixpoint operator working on sets of symbolic representations. The bottom-up pro- 
cedure can be seen as a symbolic version of the semantics presented in Section 01 
The reason for introducing two different semantic definitions is to ease the proof of 
soundness and completeness, which is split into the proof of equivalence of the ef- 
fective semantics with respect to the non-effective one, and the proof of equivalence 
of the non-effective semantics with respect to the operational one. In Sectional we 
will investigate sufficient conditions for the termination of the bottom-up evalua- 
tion. In Section [7| we will discuss the possible application of the resulting method 
as a verification procedure for infinite-state parameterized systems. In Section |H1 
we will address possible future directions of research. In Section |51 we will address 
some conclusions. 



2 Related Works 

To our knowledge, our work is the first attempt to connect algorithmic techniques 
used in symbolic model checking with declarative and operational aspects of first or- 
der linear logic programming. In (B ozzano et al. 2002|l . we have considered the rela- 
tion between propositional LO and Petri Nets. Specifically, in IjBozzano et al. 2002(1 
we have shown that the bottom-up semantics is computable for propositional LO 
programs (because of the relationship of this problem with the coverability prob- 
lem of Petri Nets). Furthermore, in fBozza no et al. 2002fl we have shown that the 
bottom-up evaluation of propositional LO programs enriched with the constant 
1 is not computable in a finite number of steps (otherwise one could decide the 
equivalence problem for Petri Nets). 

We point out here that an original contribution of the paper consists in extending 
the construction we used for proving the computability of the bottom-up construe- 
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tion of propositional LO programs to first order LO specifications. Tfiis way, we 
have established a hnk witli more complex models of concurrency. Clearly, in the 
first order case provability becomes undecidable. In the paper we present a non 
trivial special case of first order LO programs in which the bottom-up semantics 
is still computable. Extending the bottom-up evaluation to LO programs enriched 
with the constant 1 is a possible future direction of research (see Section |S1 for a 
discussion). 

In l|Harland and Winikoff 1998|l . Harland and Winikoff present an abstract de- 
ductive system for bottom-up evaluation of linear logic programs. The left in- 
troduction plus weakening and cut rules are used to compute the logical conse- 
quences of a given formula. Though the framework is given for a more general 
fragment than LO, it does not provide an efFective procedure to evaluate programs. 
In lAndreoli et al. 1997|l . Andreoli, Pareschi and Castagnetti define an improved 
top-down strategy for propositional LO based on the Karp-Miller's covering graph 
of Petri Nets, i.e., a forward exploration with accelerations. 

The relation between Rewriting, (Colored) Petri Nets and Linear Logic has been 
investigated in previous works like l|Cervesato 1994llCervesato 1995l|E'ngberg and Winskel 1990| 
IMeseguer 1992||Marti-Ohet and Meseguer 1991| ). Our point-of-view is based on the 
proofs as computations metaphor proposed in IjAndreoli and Pareschi 1990IIAndreoli 19921 
fuller 1996), whereas our connection with models for concurrency is inspired to 
works in this field like l|Cervesato 1994llCervesato 1995llDelzanno and Martelh 2(1(111 
[Kobayashi and Yonezawa 19941 IMiller 1993IIMiller 1996|l . As an example, in l|Cervesato 19941 
FCervesato 1995,) . Cervesato shows how to encode Petri Nets in different fragments 
of linear logic hke LO, LoUi podas and Miller 1990|l . and Forum UMiller 1996|l 
exploiting the different features of these languages. Algorithmic aspects for verifi- 
cation of properties of the resulting linear logic specifications are not considered 
in the works mentioned above. In (Farwer 19991 IFSrwer 2000)1 . Farwer presents a 
possible encoding of Colored Petri Nets in Linear Logic and proposes a combination 
of the two formalisms that could be used to model object systems. 

The problem of the decidability of provability in fragments of linear logic has 
been investigated in several works in recent years IjLincoln 1995llLincoln et al. 1992( 
ILincoln and Scedrov 1994)l . Specifically, in ( |Kopylov 1995| ), Kopylov has shown that 
the full propositional linear affine logic containing all the multiplicatives, additives, 
exponentials, and constants is decidable. Affine logic can be viewed as linear logic 
with the weakening rule. Propositional LO belongs to such a sub-structural logic. 
Provability in full first order linear logic is undecidable as shown by Girard's trans- 
lation of first order logic into first order linear logic (fGirard 1987|l . The same holds 
for first order affine logic (Girard's encoding can also be viewed as an encoding into 
affine logic (|Lincoln 1995|l V First order linear logic without modalities, i.e., with- 
out the possibility of re- using formulas, is decidable fLincoln and Sced rov 1994| . In 
l|Cervesato et al. 1999|l . Cervesato et al. use a formalism based on multiset-rewriting 
and existential quantification that can be embedded into our fragment of linear 
logic to specify protocol rules and actions of intruders. In ( |Durgin et al. 1999| ), it 
is shown that reachability in multiset rewriting with existential quantification is 
undecidable by a reduction from Datalog with quantification in goal formulas. The 
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fragment they consider however is much more general than the monadic fragment 
of LOv- Monadic LOy can be viewed as a fragment of first order Hnear afhne logic 
with restricted occurrences of the exponentials (program clauses are re-usable) and 
severe restrictions on the form of atomic formulas. We are not aware of previous 
results on similar fragments. 

3 The Logic Programming Language LO 

LO IjAndreoli and Pareschi 1991|l is a logic programming language based on a frag- 
ment of LinLog ( Andreoli 1992)l . Its mathematical foundations lie on a proof- 
theoretical presentation of a fragment of linear logic defined over the linear connec- 
tives -o {linear implication, we use the reversed notation H o- G ior G -o H), & 
(additive conjunction) , ^ (mu-ZtipLcative disjuiictioi!) , and the constant T (additive 
identity). In this section we present the proof-theoretical semantics, corresponding 
to the usual top-down operational semantics for traditional logic programming lan- 
guages, for an extension of LO. First of all, we consider a slight extension of LO 
which admits the constant _L in goals and clause heads. More importantly, we al- 
low the universal quantifier to appear, possibly nested, in goals. This extension is 
inspired by multiset rewriting with universal quantification l|Cervesato et al. 1999|l . 
The resulting language will be called LOy hereafter. Following (|Andreoli and Pareschi 1991(1 . 
we give the following definitions. 

Definition 3.1 (Atomic Formulas) 

Let E be a signature with predicates including a set of constant and function sym- 
bols C and a set of predicate symbols V, and let V be a denumerable set of variables. 
An atomic formula over E and V has the form . . . , ^„) (with n > 0), where 
p & V and ti, . . . ,tn are (non ground) terms in . We denote the set of such 
atomic formulas as Aj,. 

We are now ready to define LOy programs. The class of D-formulas correspond to 
multiple-headed program clauses, whereas G-formulas correspond to goals to be 
evaluated in a given program. 

Definition 3.2 (L0\/ programs) 

Let E be a signature with predicates and V a denumerable set of variables. The 
classes of G-formulas (goal formulas), H- formulas (head formulas), and D-formulas 
(program clauses) over E and V are defined by the following grammar: 

G ::= G J? G | G & G | Vx.G | A | T | _L 

H ::= ... J? A I ± 

D ::= H G I D & D I VxD 

where A stands for an atomic formula over E and V. An LOy program over E and 
V is a D-formula over E and V. A multiset of goal formulas will be called a context 
hereafter. 
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Remark 3.3 

Given an LOy program _P, in the rest of the paper we often find it convenient to 
view P as the set of clauses Di , . . . , _D„ . Every program clause Di has the form 
V (77 G) standing for Vxi . . . Xk. (H G), where FV{H G) = {xi, . . . , Xk}. 
FormaUy, this is justified by the following logical equivalences (jGirard 1987|l : 

[(Di&fa) = IDi (g> ID2 
Vx. (Di & Da) = Va;. Di & Vx. D2 

For the sake of simplicity, in the following we usually omit the universal quantifier in 
D-formulas, i.e., we consider free variables as being implicitly universally quantified. 

Definition 3.4 {LO\/ Sequents) 

Let E be a signature with predicates and V a denumerable set of variables. An 
LOv sequent has the form P h^i Gi, . . . , Gk, where P is an LOy program over S 
and V, Gi, . . . , Gk is a context (i.e., a multiset of goals) over S and V, and E' is a 
signature such that ECS'. 

According to R,emark l3.3l structural rules {exchange, weakening and contraction) 
are allowed on the left-hand side, while on the right-hand side only the rule of 
exchange is allowed (for the fragment under consideration, it turns out that the 
rule of weakening is admissible, while contraction is forbidden). We now define 
provability in LOy- 

Definition 3.5 {Ground Lnstances) 

Let E be a signature with predicates and V a denumerable set of variables. Given an 
LOy program P over E and V, the set of ground instances of P, denoted Gnd{P), is 
defined as follows: Gnd{P) = {(77 G) 6* | V (77 G) £ P}, where 9 is a grounding 
substitution for H o— G (i.e., it maps variables in FV{H o— G) to ground terms in 

The execution of a multiset of G-formulas Gi , . . . , Gfc in P corresponds to a goal- 
driven proof for the sequent P hs Gi, . . . , Gfc. According to this view, the opera- 
tional semantics of LOy is given via the uniform {focusing) IjAndreoli 1992|l proof 
system presented in Figure ^ where P is a set of clauses, ^ is a multiset of atomic 
formulas, and A is a multiset of G-formulas. We have used the notation H, where 
77 is a linear disjunction of atomic formulas Ai^ ... An, to denote the multiset 
Ai, . . . , An (by convention, _L = e, where e is the empty multiset). 

Definition 3.6 {LO\f provability) 

Let E be a signature with predicates and V a denumerable set of variables. Given 
an LOy program P and a goal G, over E and V, we say that G is provable from P if 
there exists a proof tree, built over the proof system of Figure^ with root P hs G, 
and such that every branch is terminated with an instance of the axiom. 

The concept of uniformity applied to LO requires that the right rules T^, r, 
Szr, J-r) W have priority over be, i.e., be is applied only when the right-hand side 
of a sequent is a multiset of atomic formulas (as suggested by the notation A in 
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T r ^ r & T 



PhsT,A PhsGi^JGa.A PhEGi&G2,A 

±, V. (c0E) 1 (F<^G €Gnd(P)) 



PI-E±,A PI-EVa;.G,A PI-Ei/,yl 

Fig. 1. A proof system for LOy 

Figure^. The proof system of Figure is a specialization of more general uniform 
proof systems for linear logic like Andreoli's focusing proofs IjAndreoli 1992|l and 
Forum (Miller 1996). Rule be is analogous to a backchaining (resolution) step in 
traditional logic programming languages. Note that according to the concept of 
resolution explained above, be can be executed only if the right-hand side of the 
current LOy sequent consists of atomic formulas. As an instance of rule be, we get 
the following proof fragment, which deals with the case of clauses with empty head: 



be 

provided ± o- G G Gnd{P) 

Given that clauses with empty head are always applicable in atomic contexts, the 
degree of non-determinism they introduce in proof search is usually considered un- 
acceptable l|Miller 1996|l and in particular they are forbidden in the original presen- 
tation of LO IjAndreoli and Pareschi 1991|l . However, the computational model we 
are interested in, i.e., bottom-up evaluation, does not suffer this drawback. Clauses 
with empty head often allow more flexible specifications. 

LO clauses having the form H o— _L simply remove the resources associated with 
H from the right-hand side of the current sequent {H is rewritten into the empty 
multiset). On the contrary, LO clauses having the form _ff o- T can be viewed as 
termination rules. In fact, when a backchaining step over such a clause is possible, 
we get a successful (branch of a) computation, independently of the current context 
A, as shown in the following proof scheme: 



be 



P^i:H,A 

provided H o— T E Gnd(P) 

This observation is formally stated in the following proposition (we recall that =^ is 
the multiset inclusion relation). 

Proposition 1 {Admissibility of the Weakening Rule) 

Given an LOy program P and two multisets of goals A, A' such that A =<; A', if 
P He A then P A'. 
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Proof 

By simple induction on the structure of LOv proofs. □ 

Admissibility of the weakening rule makes LOv an afEne fragment of linear logic 
| |Kopylov 1995| ). Note that all structural rules are admissible on the left hand side 
(i.e., on the program part) of LOy sequents. 

Finally, rule Vi- can be used to dynamically introduce new names during the 
computation. The initial signature S must contain at least the constant, function, 
and predicate symbols of a given program P, and it can dynamically grow thanks 
to rule Vr . 

Remark 3. 7 

Particular attention must be paid to the constants introduced in a derivation. They 
cannot be extruded from the scope of the corresponding universal quantifier. For 
this reason, every time rule is applied, a new constant c is added to the current 
signature, and the resulting goal is proved in the new signature. The idea is that 
all terms appearing on the right-hand side of a sequent are implicitly assumed to 
range over the relevant signature. This behavior is standard in logic programming 
languages l|Miller et al. 1991|l . 

Example 3.8 

Let S be a signature with a constant symbol a, a function symbol / and predicate 
symbols p, g, r, s. Let V be a denumerable set of variables, and m, w, w, . . . G V. Let 
P be the program 

1. r{w) ^ q{f {w))^ s{w) 

2. s{z) o—\/x.p{f {x)) 

3. _L o- q[u) & r{v) 

4. p{x)^ q{x) t:^T 

The goal s{a) is provable from P. The corresponding proof is shown in Figure 
121 (where we have denoted by fec*^'-* the application of the backchaining rule over 
clause number i oi P). Note that the notion of ground instance is now relative to 
the current signature. For instance, backchaining over clause 3 is possible because 
the corresponding signature contains the constant c (generated one level below by 
the V,. rule), and therefore _L g(/(c)) & r(c) is a valid instance of clause 3. 

□ 

3.1 Simulating Multiset Rewriting over First Order Atoms 

In this section we will focus our attention on the relationship between multiset 
rewriting over first order atoms and first order LO theories. We will conclude by 
showing how enriching logic theories with universal quantification can provide a 
way to generate new values. 

The connection between multiset rewriting systems over (first order) atomic for- 
mulas and (first order) LO theories has been studied, e.g., in IjCervesato 19941 
IC^ervesato et al. 1999,) . In IjCervesato 1994|l Cervesato presents different possible 



12 



M. Bozzano, G. Delzanno and M. Martelli 



PhE,cT,s(c) 



Phs,cP(/(c)),g(/(c)),s(c) 

T, 

J'^E.cT P^^,cP{f{c)),qU{c))^s{c) 

6c(*) 

P Ke,cP(/(c)), g(/(c)) P h^,.p{f{c)), r(c) 

kr 

P^s.cp{fic)),q{fic))Szr{c) 
P^^,cP{f{c)) 

^ 

PhsVx.p(/(i;)) 
Fig. 2. An example of LOy proof 

encodings of multiset rewriting (without function symbols) in linear logic. Specif- 
ically, he first presents an encoding in the multiplicative fragment of intuitionistic 
linear logic (MILL), where multiplicative conjunction ® ("tensor") and linear im- 
plication are used as multiset constructor and rewrite relation, respectively. As an 
example, the formula p (8) g — o r (g) s represents a rewrite rule in which p and q are 
rewritten into r and s {(^ denotes the "tensor"). 

As highlighted in Remark 5.12 of llCervesato 1994|l an equivalent encoding can 
be given by choosing a fragment of classical linear logic contained in LO in which 
multiplicative disjunction and reverse linear implication are used as multiset con- 
structor and rewrite relation, respectively. As an example, the formula qo—r^s 
represents a rewrite rule in which p and q are rewritten into r and s. This is the 
encoding we will adopt in our work. 

The duality of the two encodings is a consequence of the following property: 
(p (Xi g ^ r (g) s)^ = p^ ^ q^ o- r-^ ^ , where is the linear logic negation of 
a. Furthermore, it depends on the way proofs are interpreted as computations, i.e., 
on whether "rewrite rules" are encoded as formulas that occur on the left- or on 
the right-hand side of a sequent. 

In Section 5.2.2 of IjCervesato 1994|l Cervesato also presents an encoding of Petri 
Nets in LO that allows one to simulate the execution of a net using an LO top- 
down derivation of the resulting program. In Section 5 of l|Cervesato et al. 1999|l the 
encoding of multiset rewriting over first order atomic formulas (MSR) is extended 
to first order MILL with existential quantifiers. Thanks to its logical nature, the 
duality with the first order fragment of LO still holds. 

To illustrate the main ideas behind the interpretation of LO as multiset rewriting, 
let us first define the following class of LO formulas. 

Definition 3.9 

We call LO rewrite rule any LO formula having the following form 
V(^i ^ ...^An^ Bi^ ...^B^) 
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P p{a), Pififib))), q{b), gib), ?(/{/(&))) 

: 

P l-E p{a) ^ Pififib))) qib) ^ qib) ^ g(/(/(6))) PififW)), ?(/ (/(&)))} 

6c 

i^^sP('^). p(/(fe)) ,g(fe). 9(/(&)) T 

: {p(a), p(/(6)) ,9(6), g(/(b)) } 



T 
6c 



P hsp(a), p(6), g(/(6)) {p(a),p(6), g(/(6))} 

: 

PhsPia)^pib)^qifib)) 

Derivation Rewriting 

Fig. 3. Multiset rewriting over first order atomic formulas as LO proof construction 

where Ai, . . . , An and Bi, . . . , Bm are atomic formulas over E and V. 

As usual, the notation V {H o~ G) stands for the universal quantification of clause 
H o- G over its free variables. 

LO formulas having the form depicted above can be interpreted as multiset rewrit- 
ing rules in which rewriting can be performed only at the level of atomic formulas 
as in the MSR framework defined in IjCervesato et al. 1999|l . 

Specifically, let P be a set of LO rewrite rules (as in Def. I3.9|l . Now, consider a 
goal formula G having the form Ci^ . . . ^ Ck where Ci, . . . , Gk are ground atomic 
formulas over E. It is easy to verify that any derivation starting from P G and 
built using LO proof rules amounts to a sequence of multisets rewriting steps, where 
^ is interpreted as multiset constructor. 

Example 3.10 

Let E be a signature with two constant symbols a and b, one function symbol / and 
two predicate symbols p, q. Let V be a denumerable set of variables and x, ?/ G V. 
Let P consists of the LO clause 

Va;, y. p{x) ^ q(J{y)) o~ p{f{x)) ^ q{y) ^ q{f{x j) 

and G = p{a) ^ p{h) ^ q{f{b)). FigureElshows one possible sequence of applications 
of the above clause that starts from the sequent P hy, G (we have underlined atomic 
formulas selected in the application of the he rule). □ 

From the previous example, we can observe the following properties. All derivations 
built using LO rewrite rules of Def. 13. 91 consist of applications of ^ and be. Thus, 
they have no branching (all derivations form a single line). The combination of 
a sequence of applications of the ^ ^ rule and of the backchaining rule has the 
following effect: the head of a ground instance of a rule in P is matched against a 
sub-multiset in the current goal; the selected multiset is replaced by the body of 
the rule. Clearly, this property allows us to simulate multiset rewriting over first 
order atomic formulas by using LO rewrite rules. 
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Now, let Fi be the clause 

p{a) "^Pififm ^ q{h) ^ q{h) ^ ?(/(/(&))) T 

If we enrich P with Fi , then we can transform the partial derivation of Figure El 
into an LO proof as shown below (where S stands for the derivation fragment of 
Figure 01 : 



be 

S 

It is important to note that the same effect can be achieved by adding any formula 
with T that contains a sub-multiset of the right-hand side of the last sequent in the 
derivation of Figure 01 As an example, let F2 be the formula 

If we enrich P with F2 , then we can transform the partial derivation of Figure |3| 
into an LO proof as shown below (again, d stands for the derivation fragment of 
Figure 13 : 



P^^T,p{f{f{b))),qib),qif{fm 

be 

S 

More in general, let P be a set of LO rewrite rules over S and V, and Ai, M! two 
multisets of ground atomic formulas (two configurations). Furthermore, let G the 
(possibly empty) ^-disjunctions of ground atomic formulas such that R — M.' and 
G = M.. Then, the provability of the sequent P , H <^ T \~ G precisely characterizes 
the problem of coverabiL'tj for the multiset (configuration) M.\ namely P, 77 o- T h 
G is provable if and only if there exists a sequence of multiset rewriting steps defined 
over the theory P that, starting from reaches a configuration N that covers 
M', i.e., such that M' 4 M. 

This is a straightforward consequence of the properties of clauses like H o—T (it 
succeeds only if a sub-multiset of the right-hand side of the current sequent matches 
H) and of the fact that, when working with LO rewrite rules, derivations have no 
branching. In other words the only way we can transform a partial derivation like 
the one in Figure 01 into a proof is to apply (once and only once since derivations 
form a single line) the clause with T (i.e., the target configuration is reached). 

Coverability is strictly related to the verification problem of safety properties 
for concurrent systems IIAbdulla et al. 19961 IFinkel and Schnoebelen 2001|) . For in- 
stance, as shown in IjEozzano et al. 20021 . this property allows one to describe prop- 
erties like coverability for a marking of a Petri Net. In Section rOl we will show 
how to exploit this property in the more general case of first order specifications. 

In Section jSl we will discuss a possible characterization of reachability for two 
configurations using derivability in an extension of LO. 

We conclude this section by discussing how universal quantification can be used 
in order to enrich the expressiveness of LO rewrite rules. 
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The Role of Universal Quantification In the proofs as computations interpreta- 
tion of logic programs, universal quantification is a logical operator which provides 
a way to generate new values. From a logical perspective, this view of univer- 
sal quantification is based on its proof-theoretical semantics in intuitionistic logic 
IjMiller et al. 199T)l . We will define first order rewrite rules with universal quantifica- 
tion taking inspiration from IjCervesato et al. 1999|l . where a similar logic fragment, 
called MSR, is defined. In IjCervesato et al. 1999|l . MSR is used for the specification 
and analysis of security protocols. 

Given the direct relationship between (first order) multiset rewriting and (first 
order) linear logic, it should be evident that multiset rewriting with universal quan- 
tification is the counterpart of LO with universal quantification. Having this idea 
in mind, we extend the notion of LO rewrite rule as follows. 

Definition 3.11 

We call LO quantified rewrite rule any LO formula having the following form 

V(^i ^ ...^An^ Va;i, . . . , x„ ■ {B^^ . . . ^ B^)) 

where Ai, . . . , An and Bi, . . . , Bm are atomic formulas over S and V. 

The operational semantics of LO theories consisting of LO quantified rewrite rules 
should be clear by looking at the LO proof rule for universally quantified goal 
formulas: they are eliminated by introducing new constants. This operational be- 
havior naturally corresponds to the extension of multiset rewriting with fresh name 
generation defined in IjCervesato et al. 1999|l . 

Remark 3.12 

As mentioned at the beginning of this section, we remark that in IjCervesato et al. 1999|l 
the logic MSR is compared with a fragment of linear logic which turns out to be 
dual with respect to ours, and therefore existential quantification is used in place of 
universal quantification. Specifically, an MSR rule is defined as ^ — o 3a;. B, mean- 
ing that A evolves into B by creating a new name for x. In LO with universal 
quantification the same effect is obtained via the clause Ao—'ix.B. In fact, in the 
goal driven proof system of LO a computation step is obtained by resolution (i.e., 
reducing the conclusion of a clause to its premise). 

The reader may refer to IjCervesato 19941 ICervesato 19951 lUervesato et al. 19991 
ICervesato et al. 2000|l for a more formal treatment of the relationship between mul- 
tiset rewriting and LO. 

3.2 Specification of Concurrent Systems 

The connection with multiset rewriting allows us to think about LO as a specifica- 
tion language for concurrent systems. We will illustrate this idea with the help of 
the following example. We consider here a distributed test-and-lock protocol for a 
net with multiple resources, each of which is controlled by a monitor. 

The protocol is as follows. A set of resources, distinguished by means of re- 
source identifiers, and an arbitrary set of processes are given. Processes can non- 
deterministically request access to any resource. Access to a given resource must be 
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exclusive (only one process at a time). Mutual exclusion is enforced by providing 
each resource with a semaphore. 

Given a propositional symbol init, we can encode the initial states of the system 
as follows: 

1. init o- init ^ think 

2. init o- init ^ m{x, unlocked) 

3. init o— _L 

The atom think represents a thinking (idle) process, while the first order atom 
m{x,s) represents a monitor for the resource with identifier x and associated 
semaphore s. The semaphore s can assume one of the two values locked or unlocked. 
Clause 1 and clause 2 can modify the initial state by adding, respectively, an arbi- 
trary number of thinking processes and an arbitrary number of resources (with an 
initially unlocked semaphore) . Finally, using clause 3 the atom init can be removed 
after the initialization phase. 

The core of the protocol works as follows: 

4. think o— wait{x) 

5. wait{x) o~ think 

6. wait{x) ^ m{x, unlocked) o- use{x) ^ m{x, locked) 

7. use{x) ^ m{x, locked) o— think ^ m(x, unlocked) 

Using clause 4, a process can non-deterministically request access to any resource 
with identifier x, moving to a waiting state represented by the atom wait{x). Clause 
5 allows a process to go back to thinking from a waiting state. By clause 6, a waiting 
process can synchronize with the relevant monitor and is granted access provided 
the corresponding semaphore is unlocked. As a result, the semaphore is locked. 
The atom use{x) represents a process which is currently using the resource with 
identifier x. Clause 7 allows a process to release a resource and go back to thinking, 
unlocking the corresponding semaphore. 

Remark 3.13 

In the previous specification we have intentionally introduced a flaw which we will 
disclose later (see Section (Tjl. Uncovering of this flaw will allow us to explain and 
better motivate the use of the universal quantifier for the generation of new names. 

3.3 Linear Logic and Model Checking 

One of the properties we would like to establish for the specification given in the 
previous example is that it ensures mutual exclusion for any resource used in the 
system. One of the difficulties for proving this kind of properties is that the spec- 
ification taken into consideration has an infinite number of possible configurations 
(all possible rewritings of the goal init). 

In this paper we will define techniques that can be used to attack this kind of 
verification problems by exploiting an interesting connection between verification 
and bottom-up evaluation of LO programs. 
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transition system 
transition 
current state 
initial state 
upward-closed set of states 
forward reachability 
backward reachability 



LO program and proof system 
rule instance 
goal formula 
initial goal 
LO clause with T 
top-down provability 
bottom-up provability 



Fig. 4. Reachability versus provability 

Let us consider again the protocol specification given in Example 13.21 The mu- 
tual exclusion property can be formulated as the following property over reachable 
configurations. Let S be the set of multiset of atomic formulas (i.e., a configura- 
tion) reachable in any derivation from the goal init. The protocol ensures mutual 
exclusion for resource x if and only if for any A £ S, i.e., any reachable configura- 
tion, {use(x), use{x)} is not a sub-multiset of A. In other words, all goal formulas 
containing two occurrences of the formula use{x) represent possible violations of 
mutual exclusion for resource x. 

Following from the previous observation, a possible way of proving mutual ex- 
clusion for our sample protocol is to show that no configurations having the form 
{use{x)^ use{x), . . .} can be reached starting from the initial states. This verifica- 
tion methodology can be made effective using a backward exploration of a protocol 
specification as described in IjAbduUa et al. 1996|l . Specifically, the idea is to sat- 
urate the set of predecessor configurations (i.e., compute all possible predecessor 
configurations of the potential violations) and then check that no initial state occurs 
in the resulting set. 

This verification strategy can be reformulated in a natural way in our fragment 
of linear logic. First of all, LO formulas with the T constant can be used to finitely 
represent all possible violations as follows: 



Backward reachability amounts then to compute all possible logical consequences 
of the LO specification of the protocol and of the formula U . In logic programming 
this strategy is called bottom-up provability. If the goal init is in the resulting set, 
then there exists an execution (derivation) terminated by an instance of the axiom 
T that leads from init to a multiset of the form use{x), use(x), A for some x and 
some multiset of atomic formulas A. Thus, the use of clauses with T to represent 
violations (and admissibility of weakening) allows us to reason independently of the 
number of processes in the initial states. Following IIAbduUa et ai. 1996|l . formulas 
like \/x. use{x) ^ use{x) o- T can be viewed as a symbolic representation of upward- 
closed sets of configurations. 

On the basis of these observations, the relationship between reachability and 
derivability sketched in the previous sections can be extended as shown in Figure 



U \/x. use{x) ^ use[x) o~ T 



m 



18 



M. Bozzano, G. Delzanno and M. Martelli 



In order to exploit this connection and extend the backward reachabihty strategy 
in the rest of the paper we will define a bottom-up semantics for first order LO 
programs. We will define our semantics via a fixpoint operator similar to the Tp 
operator used for logic programs. The fixpoint semantics will give us an effective 
way to evaluate bottom-up an LO program, and thus solve verification problems 
for infinite-state concurrent systems as the one described in this section. 

4 A Bottom-up Semantics for LOy 

The proof-theoretical semantics for LOy corresponds to the top-down operational 
semantics based on resolution for traditional logic programming languages like Pro- 
log. In this paper we are interested in finding a suitable definition of bottom-up se- 
mantics that can be used as an alternative operational semantics for LOy programs. 
More precisely, we will define an effective and goal-independent procedure to com- 
pute all goal formulas which are provable from a given program P. This semantics 
extends the one described in IjBozzano et al. 2002|l . which was limited to proposi- 
tional LO programs. In the following, given an LOy program P, we denote by Sp 
the signature comprising the set of constant, function, and predicate symbols in P. 

4-1 Non-ground Semantics for LO\/ 

Before discussing the bottom-up semantics, we lift the definition of operational se- 
mantics to LOy programs. Following l|Bozzano et al. 2002|l . we would like to define 
the operational semantics of a program P as the set of multisets of atoms which 
are provable from P. This could be done by considering the ground instances of 
LOy program clauses (see Definition 13. 5|) . However, in presence of universal quan- 
tification in goals, this solution is not completely satisfactory. Consider, in fact, the 
following example. Take a signature with a predicate symbol p and two constants 
a and 6, and consider the LOy program consisting of the axiom yx.p{x) o— T and 
the program consisting of the two clauses p{a) o— T and p{b) o— T. The two pro- 
grams would have the same ground semantics (i.e., consisting of the two singleton 
multisets {p{a)} and {p{b)}). However, the LOy goal Wx.p{x) succeeds only in the 
first program, as the reader can verify. In order to distinguish the two programs, we 
need to consider the non ground semantics. In particular, our aim in this section 
will be to extend the so-called C-semantics of ((Falaschi et al. 1993|l to first order 
LO. 

First of all, we give the following definition. 
Definition 4- 1 {Clause Variants) 

Given an LOy program P, the set of variants of clauses in P, denoted Vrn{P), is 
defined as follows: 

Vrn{P) = {(77 G) 6* I V (77 G) e P and 6* is a renaming 

of the variables in FV{H o- G) with new variables}. 

Now, we need to reformulate the proof-theoretical semantics of Section 01 (see 
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P hs GO, A 

be {Hc^ G) e Vrn{P) 

p hE He, A 

Fig. 5. Backchaining rule working over non ground goals 

Figure^. According to the C-semantics of IjFalaschi et al. 1993|l . our goal is to de- 
fine the set of non ground goals which are provable from a given program P with 
an empty answer substitution. Slightly departing from IjFalaschi et al. 1993jl . we 
modify the proof system of Figure as follows. Sequents are defined now over non 
ground goals. The backchaining rule of Figure ^ is replaced by the new rule shown 
in Figure El( where, as usual, A denotes a multiset of atomic formulas). The right- 
introduction rules and the axioms are as in Figure ^ This proof system is based on 
the idea of considering a first order program as the (generally infinite) collection of 
{non ground) instances of its clauses. By instance of a clause H o- G, we mean a 
clause H6 o- G9, where 9 is any substitution. The reader can see that, with this 
intuition, the set of goals provable from the system modified with the backchaining 
rule shown in Figure^lcorresponds to the set of non ground goals which arc provable 
with an empty answer substitution according to ( Falaschi et al. 1993|l . This formu- 
lation of the proof system is the proof-theoretical counterpart of the bottom-up 
semantics we will define in the following. 

All formulas (and also substitutions) on the right-hand side of the sequents in 
the proof system obtained from Figure ^ by replacing the backchaining rule with 
the rule of Figure are implicitly assumed to range over the set of non ground 
terms over E. Every time rule V,. is fired, a new constant c is added to the current 
signature, and the resulting goal is proved in the new signature (see Remark 13. 7|l . 
Rule be denotes a backchaining (resolution) step, where 9 indicates any substitution. 
For our purposes, we can assume DomiO) C FV{H) U FV{G) (we remind that 
FV{F) denotes the free variables of F). Note that 77 G is assumed to be a 
variant, therefore it has no variables in common with A. According to the usual 
concept of uniformity, be can be executed only if the right-hand side of the current 
sequent consists of atomic formulas. Rules T,., ^ r, & r and -L^ are the same as in 
prepositional LO. A sequent is provable if all branches of its proof tree terminate 
with instances of the axiom. 

Clearly, the proof system obtained by considering the rule of Figure [S] is not 
effective, however it will be sufficient for our purposes. An effective way to compute 
the set of goals which are provable from the above proof system will be discussed 
in Sectional 

We give the following definition, where hs denotes the provability relation defined 
by the proof system of Figure ^ in which the backchaining rule has been replaced 
by the rule of Figure 

Definition 4-2 {Operational Semantics) 

Given an LOy program P, its operational semantics, denoted 0{P), is given by 
0{P) {A I ^ is a multiset of (non ground) atoms in and P h^p A}. 
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Intuitively, the set 0{P) is closed by instantiation, i.e., AO G 0{P) for any sub- 
stitution 9, provided A G 0{P). Note that the operational semantics only include 
multisets of (non ground) atoms, therefore no connective (including the universal 
quantifier) can appear in the set 0{P). However, the intuition will be that the 
variables appearing in a multiset in 0{P) must be implicitly considered univer- 
sally quantised (e.g., {p{x), q{x)} e 0{P) implies that the goal Vx (p(a:) ^ q{x)) is 
provable from P). Also note that the information on provable facts from a given 
program P is all we need to decide whether a general goal (possibly with nesting of 
connectives) is provable from P or not. In fact, according to LOy proof-theoretical 
semantics, provability of a compound goal can always be reduced to provability of 
a finite set of atomic multisets. 

4-2 Fixpoint Semantics for LO\/ 

We will now discuss the bottom-up semantics. In order to deal with universal quan- 
tification (and therefore signature augmentation) , we extend the definitions of Her- 
brand base and (concrete) interpretations given in IjBozzano et al. 2002|l as follows. 
Let Sigp be the set of all possible extensions of the signature Ep associated to 
a program P with new constants. The definition of Herbrand base now depends 
explicitly on the signature, and interpretations can be thought of as infinite tuples, 
with one element for every signature S G Sigp. From here on the powerset of a 
given set D will be indicated as p{D). 
We give then the following definitions. 

Definition 4-3 {Herbrand Base) 

Given an LOy program P and a signature E G Sigp, the Herbrand base of P over 
E, denoted HB^{P), is given by 

HBy:{P) = MS{A^) = I ^ is a multiset of (non ground) atoms in ^4^}. 
Definition 4-4 (Interpretations) 

Given an LOy program P, a (concrete) interpretation is a family of sets {/slseSigpj 
where /s G p{HBy.{P)) for every E G Sigp. 

In the following we often use the notation / for an interpretation to denote the 
family {/slseS^gp- 

Interpretations form a complete lattice where inclusion and least upper bound are 
defined like (component-wise) set inclusion and union. In the following definition 
we therefore overload the symbols C and U for sets. 

Definition 4.5 [Interpretation Domain) 
Interpretations form a complete lattice {T>, C), where: 

• 23 = {/ I / is an interpretation}; 

• / C J if and only if /s C Jj] for every E G Sigp; 

• the least upper bound of / and J is {/s U J■s}^es^gp^ 

• the bottom and top elements are ~ {0s}se5'i£(p and {HBY}{P)}seSigp, 
respectively. 
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Before introducing the definition of fixpoint operator, we need to define the notion 
of satisfiability of a context A (a multiset of goal formulas) in a given interpretation 
/. For this purpose, we introduce the judgment / |=s A*-C, where / is an input 
interpretation, A is an input context, and C is an output fact (a multiset of atomic 
formulas). The judgment is also parametric with respect to a given signature S. 

The need for this judgment, with respect to the familiar logic programming set- 
ting IjGabbrielli et al. 1995|l . is motivated by the arbitrary nesting of connectives in 
LOv clause bodies. The satisfiability judgment is modeled according to the right- 
introduction rules of the connectives. In other words, the computation performed 
by the satisfiability judgment corresponds to top-down steps inside our bottom-up 
semantics. Intuitively, the parameter C must be thought of as an output fact such 
that C -|- A is valid in /. The notion of output fact will simplify the presentation of 
the algorithmic version of the judgment which we will present in Sectional The no- 
tion of satisfiability is modeled according to the right-introduction (decomposition) 
rules of the proof system, as follows (we remind that '+' denotes multiset union). 

Definition (Satisfiability Judgment) 

Let P be an LOv program, S G Sigp, and / ~ {^ElseSigp an interpretation. The 
satisfiability judgment |=s is defined as follows: 

/ hs T, A C for any fact C in 
/ hs ^"C if ^ + C e /s; 

/ hs Vx.G, A»-C if / hs.c G[c/xlA-C, with c ^ S (see remarkg^; 
/ hs G'i&G'2,A«>C if / hs Gi,A«>C and / G2,A»C; 
/ hs Gi^G2,A.-Cif / hs Gi,G2,A^C; 
/ |=s i,A»-C if / A»-C. 

Remark J^.l 

When using the notation / |=s A C we always make the implicit assumption that 
A is a context defined over S (i.e., term constructors in A must belong to S). As a 
result, also the output fact C must be defined over E. This assumption, which is the 
counterpart (see Remark l3.7|) of an analogous assumption for proof systems like the 
one in Figure^ i.e., with explicit signature notation, will always and tacitly hold in 
the following. For example, note that in the V-case of the \=-s definition below, the 
newly introduced constant c cannot be exported through the output fact C. This 
is crucial to capture the operational semantics of the universal quantifier. 

The satisfiability judgment satisfies the following properties. 

Lemma 1 

For every interpretation / = {/slsesigp, context A, and fact C, 
/ hs A ► C if and only if / A, C ► e. 



Proof 

See Appendix [Appendix B| □ 
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Lemma 2 

For any interpretations h = {{h)^}T.eSigp, h = {{h)^}T,eSigp, context A, 
and fact C, 

i. if h C I2 and h A ► C then hs A C; 

ii. if /i C /2 C . . . and IJ^^ k hs A C then there exists A; £ N s.t. 4 A ► C. 
Proof 

See Appendix [Appendix B| □ 

We are now ready to define the fixpoint operator Tp. 
Definition 4-8 (Fixpoint Operator Tp) 

Given an LOy program P and an interpretation / = {/s}seSi5pi the fixpoint op- 
erator Tp is defined as follows: 

Tp{I)'^{{Tp{I))^}^es^a/, 

(Tp(/))s = {HO + C \{H<^ G)£ Vrn{P), 9 is 
any substitution, and / |=i; G9*-C}. 

Remark 4-9 

In the previous definition, 9 is implicitly assumed to be defined over E, i.e., 9 can 
only map variables in Dom{9) to terms in T^. 

The following property holds. 

Proposition 2 (Monotonicity and Continuity) 

For every LOy program P, the fixpoint operator Tp is monotonic and continuous 
over the lattice (2?, C). 

Proof 

Monotonicity. 

Immediate from the definition of Tp and item i of Lemma |2| 
Continuity. 

We prove that Tp is finitary, i.e., for any sequence of interpretations h ^ I2 Q ■ ■ ■ 
we have that Tp{{}Zi ^0 ^ U^i Tp{h), i.e., for every E e Ep, (Tp(U^i C 
(Ui^i Tp{Ii))-£,. Let ^ G (^'pdJi^i By definition of Tp, there exist a variant 

-ff o- G of a clause in P, a substitution 0, and a fact C s.t. ^ = H9 + C and 
Ui^i G9*-C. By item m of Lemma we have that there exists fc G N s.t. 

4 G6'»'C. Again by definition of Tp, we get A ^ H9 + C e (Tp(/fc))s C 

Monotonicity and continuity of the Tp operator imply, by Tarski's Theorem, that 
lfp{Tp) = TpTt^- The fixpoint semantics of a program P is then defined as follows. 
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Definition 4-10 {Fixpoint Semantics) 

Given an LOy program P, its fixpoint semantics, denoted F{P), is defined as fol- 
lows: 

F{P) ''^ {lfp{Tp)h, = iTpUmUeS^a,)h,. 

We conclude this section by proving the following fundamental result, which states 
that the fixpoint semantics is sound and complete with respect to the operational 
semantics (see Definition I4.2|l . 

Theorem 1 {Soundness and Completeness) 
For every LOv program P, F{P) = 0{P). 

Proof 

F{P) C 0{P). 

We prove that for every k eN, for every signature E g Sigp, and for every context 
A, Tptfc He A»-e implies F h^A. The proof is by lexicographic induction on 
{k, h), where h is the length of the derivation of Tp1^k |=s A ► e. 

- If A = T, A', obvious; 

- if A = ^ and A G (T'pTfc)E, then there exist a variant H o- C oi a, clause in P, a 
fact C and a substitution 9 s.t. A = HO + C and Tplk-i G9*-C. By Lemma 
n this imphes Tp^k-i |=s G9,C*-e. Then by the inductive hypothesis we have 
P hs Ge,C, from which P hs He,C, i.e., Ph^A follows by be rule; 

- if A = Va;.G, A' and TpU \=s,c C[c/x], A' > e, with c E, then by the inductive 
hypothesis we have P hs.c G[c/x], A' from which P hs Vx. G, A' follows by Vr rule; 

- if A = Gi&G2,A', TpTfc hs Gi,A'^e, and Tpffc hs G2,A'^e, then by the 
inductive hypothesis we have P hs Gi, A' and P hs G2,A', from which P h 
E Gi & G2, A' follows by & r rule; 

- if A = Gi ^ G2, A' and Tptfc |=e Gi, G2, A' ► e, then by the inductive hypothesis 
we have P hs Gi, G2, A', from which P hs Gi ^ G2, A' follows by ^ r rule; 

- if A — -L,A' and Tp'\k |=s A' e, then by the inductive hypothesis we have 
P A', from which P hs ±, A' follows by J-r rule. 

0(P) C P(P). 

We prove that for every signature E G "Sigp and for every context A, if P hs A then 
there exists k gN s.t. Tpffc \=y, A ► e. The proof is by induction on the derivation 
of P hs A. 

- If A = T, A', then for every k eN, TpU |=s A ► e; 

- if A = Hd,A, with H ^ G a. variant of a clause in P, 6 substitution, and P h 
E GO, A, then by the inductive hypothesis we have that there exists fc G N s.t. 
TpU hs GO,A*-€. Then, by Lemma □ Tp]k hs GO*- A. By definition of Tp, 
F6I + ^ G (rpTfc+i)s, which implies TpTfc+i ^T.HO + A'-e; 

- if A = Vx G, A' and P h^.c G[c/x]. A', with c ^ E, then by the inductive hypothesis 
we have that there exist G N s.t. Tp^k Hs.c G[c/x], A' ► e, from which Tptfc \=y, 
Va;. G, A' ► e follows; 
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- if A = Gi & Ga, A', P hs Gi, A' and P hs G2, A', then by the inductive hypoth- 
esis we have that there exist ki,k2 E N s.t. Tp^ki Gi,A'*-e and TpIj^ \=s 
G2,A'»-e. By taking k = maa;{fci, ^2}, by item i of Lemma |21 and monotonicity 
of Tp (Proposition |2l we get TpU hs Gi,A'»-e and TpU hs G2,A'»-e, from 
which TpU hs Gi & G2, A' ► e follows; 

- if A = Gi^G2,A' or A = -L,A', the conclusion follows by a straightforward 
application of the inductive hypothesis. 

□ 

Example ^.11 

Let E be a signature including the constant symbols a and &, a function symbol 
/, and the predicate symbols g, r, let V be a denumerable set of variables and 
2;, 2/ e V, and let P be the following LOv program: 

1. r(/(6))^p(a)c^T 

2. p{x)o^T 

3- q{y)<>' {^x.p{x))kr{y) 

Let /o = {0s}EeSjgpi £^nd let us compute Ii = Tp{Iq). Using clauses 1 and 2, we 
get that (see Definitions 14.61 and I4.8|l (/i)s contains the multisets of atoms of the 
form {r(/(&)),p(a)} + ^, and {p{t)} + A, where A is any multiset of (possibly non- 
ground) atoms in A^, while t is any (possibly non ground) term in T^. Similarly 
(^i)s', for a generic signature S' such that S C E', contains all multisets of the 
above form where A and t are taken from, respectively, A^, and T^,. For instance, 
let c be a new constant not appearing in E. The set (/i)s' will contain, e.g., the 
multisets {p(c)}, {p{J{c)), <?(&)}, and so on. 

Now, consider the substitution 6 = [y 1-^ /(&)] and the following corresponding 
instance of clause 3: q{f{b)) o— {\/x.p{x)) & r{f{b)). Assume we want to compute an 
output fact C for the judgment 

h hs (Vx.p(x))&r(/(6))-C. 

By definition of |=, we have to compute Ii {'^x.p{x)) ► C and Ii \=-s r(/(6)) ► C. 
For the latter judgment we have that, e.g., h \=s r{f{b))»-p{a). For the first 
judgment, by definition of |=, we must compute h ^s,c p{c)*'C, where c is a 
new constant not in E. As {p{c)} is contained in (/i)s,c, we can get that Ii [=s,c 
p{c) *■ e. We can also get h \=s,c p{c) *■ p{a) (in fact {p(c), p{a)} is also contained in 
(-?^i)e,c. By applying the & -rule for ^, we get that /i \=y. (yx.p{x))k.r{f{h))*- p{a). 
Therefore, by applying clause 3 we get that, e.g., the multiset {q{h),p{a)} is in 
(/2)s = (Tp(/i))s. □ 

5 An Effective Semantics for LOy 

The fixpoint operator Tp defined in the previous section does not enjoy one of the 
crucial properties we required for our bottom-up semantics, namely its definition 
is not effective. This is a result of both the definition of the satisfiability judgment 
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(whose clause for T is clearly not effective) and the definition of interpretations 
as infinite tuples. In order to solve these problems, we first define the (abstract) 
Herbrand base and (abstract) interpretations as follows. 

Definition 5.1 {Abstract Herbrand Base) 

Given an LOy program P, the Herbrand base of P, denoted HB{P), is given by 

HB{P) =HB^,(P). 

Definition 5.2 {Abstract Interpretations) 

Given an LOy program P, an interpretation / is any subset of HB{P), i.e., / £ 
p{HB{P)). 

In order to define the abstract domain of interpretations, we need the following 
definitions. 

Definition 5.3 {Instance Operator) 

Given an interpretation / and a signature E G Sigp, we define the operator InstY: 
as follows: 

InstY{I) = {A9 I ^ e /, 6 substitution over E}. 
Definition 5.4 {Upward- closure Operator) 

Given an interpretation / and a signature E £ Sigp, we define the operator Up-^ 
as follows: 

UpAl) = + C I e /, C fact over E}. 

Remark 5.5 

Note that, as usual, in the previous definitions we assume the substitution 9 and 
the fact C to be defined over the signature E. 

The following definition provides the connection between the (abstract) interpreta- 
tions defined in Definition 15.21 and the (concrete) interpretations of Definition 14.41 
The idea behind the definition is that an interpretation implicitly denotes the set of 
elements which can be obtained by either instantiating or closing upwards elements 
in the interpretation itself (where the concepts of instantiation and upward-closure 
are made precise by the above definitions). The operation of instantiation is re- 
lated to the notion of C-semantics ( Falaschi 'et al. 1993jl (see Definition 14.2(1 , while 
the operation of upward-closure is justified by Proposition ^ Note that the opera- 
tions of instantiation and upward-closure are performed for every possible signature 
E £ Sigp. 

Definition 5.6 {Denotation of an Interpretation) 

Given an (abstract) interpretation /, its denotation |/] is the (concrete) interpre- 
tation {[-/^Islsesiffp defined as follows: 

= Instj:{UpY{I)) (or, equivalently, = UpY{InstY{I)))- 

Two interpretations / and J are said to be equivalent, written / 2± J, if and only 
if W = W- 

The equivalence of the two different equations in Definition 15.61 is stated in the 
following proposition. 
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Proposition 3 

For every interpretation /, and signature S G Sigp, 

Inst^{Up^{I)) = Up^{Inst^{I))- 

Proof 

Let {A + C)e e Insts{Up^{I)), with A e I. Then {A + C)e = (AO) + CO e 
Up^{InstT.{I)). Conversely, let A9 + C e Upj^{Insts{I)), with A e I. Let B be 
a variant of C with new variables (not appearing in A, 0, and C) and 0' be the 
substitution with domain Dom{9) U FV{B) and s.t. 9' \Dom{0) = 9 and 0' maps B 
to C. Then A9 + C = A9' + B9' = {A + B)9' e Inst^{Up^{I)). □ 

We are now ready to define the symbolic interpretation domain. In the following we 
will use the word abstract to stress the connection between our symbolic semantics 
and the theory of abstract interpretation. Our abstraction does not loose precision 
but it allows us to finitely represent infinite collections of formulas. As previously 
mentioned, the idea is that of considering interpretations as implicitly defining the 
sets of elements contained in their denotations. Therefore, differently from Defini- 
tion ^31 now we need to check containment between denotations. Furthermore, as 
we do not need to distinguish between interpretations having the same denotation, 
we simply identify them using equivalence classes with respect to the corresponding 
equivalence relation ~. 

Definition 5.7 [Abstract Interpretation Domain) 

Abstract interpretations form a complete lattice (Z, C), where 

• Z = {[/]~ I / is an interpretation}; 

• [/]^C[J]^ifandonlyif |/1CIJ]; 

• the least upper bound of [/]~ and [J]~, written [/]~ |J [J]~, is [/ U J]~; 

• the bottom and top elements are [0]~ and [e]~, respectively. 

The following proposition provides an effective and equivalent condition for testing 
the □ relation (which we call entailment relation) over interpretations. We will need 
this result later on. 

Proposition 4 [Entailment between Interpretations) 

Given two interpretations I and J, |/] C |J] if and only if for every A E I, there 
exist B G J, a. substitution 9, and a fact C (defined over Sp) s.t. A = B9 + C. 

Proof 

If part. We prove that for every E e Sigp, C |J]s. Let A' = A9' + C £ 

Up^[Inst^[I)) ~ |/]e, with Ae I and 6*', C defined over S. By hypothesis, there 
exist B G J, a. substitution 9, and a fact C (defined over Sp) s.t. A — B9 + C. 
Therefore, A' = A9' +C' = [B9 + C)9' + C' = B99' + [C9' + C) G Up^[Inst^[J)) = 
|J]e (note that 99' and C9' + C are both defined over E because Sp C E). 

Only if part. Let A G I, then A G 1-^1 (note that A is defined over Ep by 
definition of interpretation). Then, by the hypothesis we have that A G I/Jep = 
Up-Sp{I'nstY,p[J)), i.e., there exist B E J, a substitution 9, and a fact C (defined 
over Sp) s.t. ^ = i36' + C. □ 
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We now define the abstract satisfiability judgment / Ihs A ► C ► 0, where / is an 
input interpretation, A is an input context, C is an output fact, and is an output 
substitution. 

Remark 5.8 

As usual, the notation / Ihs A ► C 6* requires that A, C, and 9 are defined over 
the signature E. As a consequence, the newly introduced constant c in the V-case 
of the Ihs definition below cannot be exported through the output parameters C or 

e. 

The judgment Ihs can be thought of as an abstract version of the judgment \=y: 
(compare Definition I4.6|l . We now need one more parameter, namely an output 
substitution. The idea behind the definition is that the output fact C and the 
output substitution 9 are minimal (in a sense to be clarified) so that they can be 
computed effectively given a program P, an interpretation /, and a signature S. 
The output substitution 9 is needed in order to deal with clause instantiation, and 
its minimality is ensured by using most general unifiers in the definition. As the 
reader can note, the sources of non-effectiveness which are present in Definition 
14.61 (e.g., in the rule for T)) are removed in Definition 15.91 below. We recall that 
the notation 9i f 02 denotes the least upper bound of substitutions (see Appendix 
[Appendix A| ). 

Definition 5.9 {Abstract Satisfiability Judgment) 

Let P be an LOy program, / an interpretation, and E e Sigp. The abstract satis- 
fiability judgment Ihs is defined as follows: 

/ Ihs T, A»- m^; 

I\^^A>'C-9if there exist BeL (variant), B' A' 4 A, \B'\ ^\A'l 

C = B\B', and 9 ^ mgu{B' , A')\py^j^ c)'^ 
I Ihs Va;.G,A»C»6' if / lhs,c G[c/ x], I^*- C *- 9, with c E (sec Remark 

/Ihs Gi&G2,A^C«'6i if /Ihs Gi,A^Ci«'6ii, / Ihs G2, A ► C2 " 6I2, 

Vi ^ Ci, V2 ^ C2, \Vi\ = IP2I, ^3 = mgu{Vi,V2), 

C = Ci + (C2\I?2), and = (01 t 02 T Oi)\py^a,,G,.Afiy 

I Ihs Gi^G2,A»C«>0 if / Ihs Gi, G2,A»C«>0; 

/ Ihs -L, A C ► if / Ihs A ► C ► 0. 

We recall that two multisets in general may have more than one (not necessar- 
ily equivalent) most general unifier and that using the notation mgu{B' ,A!) we 
mean any unifier which is non-deterministically picked from the set of most general 
unifiers of B' and A' (see Appendix [Appendix A| ). 

Example 5.10 

Let us consider a signature with a function symbol / and predicate symbols p, q,r, s. 
Let V be a denumerable set of variables, and u, v, w, . . . € V. Let / be the interpreta- 
tion consisting of the two multisets {p{x), q{x)} and {r{y),p{f{y))} (for simplicity. 
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hereafter we omit brackets in multiset notation), and P the program 

1. r(w) o- q{f{w)) 

2. 5(2) Va;.p(/(a;)) 

3. _L q{u) & r{v) 

Let us consider (a renaming of) the body of the first clause, q{f{w')), and (a 
renaming of) the first element in /, p{x'), q{x'). Using the second case for the Ihs^ 
judgment, with A = A' = q{f{w' j), B ~ p{x'), q{x'), B' = q{x'), we get 

/I^E, q{f{w'))>p{x')>[x' ^f{w')]. 

Let us consider now (a renaming of) the body of the second case, \/x.p{f{x)), and 
another renaming of the first element, p(x"), q{x"). From the V-case of the definition 
of Ihsp, / Ihsp \/x.p{f{x))-C-e if / Ihsp,, pific))-C-e, with c ^ Sp. Now, 
we can apply the second case for lhsp,c- Unfortunately, we can't choose A' to be 
p{f{c)) and B' to be p{x"). In fact, by unifying p{f{c)) with p{x"), we should get 
the substitution 9 = [x" 1-^ /(c)] and the output fact q{x") (note that x" is a free 
variable in the output fact) and this is not allowed because the substitution 9 must 
be defined on Sp, in order for / Ih^p \/x.p{f{x)) C ^ 9 to he meaningful. It turns 
out that the only way to use the second clause for \\-Sp,c is to choose A' = B' — e, 
which is useless in the fixpoint computation (see Example 15.13(1 . Finally, let us 
consider (a renaming of) the body of the third clause, _Lo- q{u') & r{v'). According 
to the &-rule for the Ih^j, judgment, we must first compute Ci, C2, 9i and 92 such 
that / Ihsp q{u') *-Ci*-9i and / Ihs^ r{v') C2 ► ^2- To this aim, take two variants 
of the multisets in /, p{x"'), q{x"') and r{y'),p{f{y')). Proceeding as above, we get 
that 

I \'^T,p q{u')*- p{x"')*-[u x'"] and I \'^t,p r{v')*- p{f{y'))*- [v ^ y']. 

Now, we can apply the &-rule for the Ih^p judgment, with Pi = p{x"'), 7^2 = 
p{f{y')), and ^3 = W" ^ f{y')]. We have that T ^2 T ^3 = W ^ f{y'),v' ^ 
2/', x'" ^ f{y')]- Therefore, we get that 

/ Ihsp q{u) & r{v') *■ p{x"') *■ [u f{y'), v' ^ y' , x" ^ f{y')]- 

□ 

The following lemma states a simple property of the substitution domain, which 
we will need in the following. 

Lemma 3 

For every interpretation /, context A, fact C, and substitution 9, if / Ihs IS.*- C*- 9 
then Dom{9) C i^l/(A) U FV{C). 

Proof 

Immediate by induction on the definition of Ihs- D 

The connection between the satisfiability judgments and Ihs is clarified by the 
following lemma (in the following we denote by )>= the converse of the sub-multiset 
relation, i.e., ^ ;^ i3 if and only \iB ^ A). 
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Lemma 4 

For every interpretation /, context A, fact C, and substitution 6*, 

i. if I A*-C*-9 then |/] MO'*- CO' for every substitution 9' and fact 
C )p C6; 

a. if |/] |=s A9»-C then there exist a fact C, and substitutions 9' and cr s.t. 
/ Ihs A ► C ^ 0', 0|j.v.(A) = (0' o a)|^v'(A)' C'^''^ =^ C. 

Proof 

See Appendix [Appendix B| □ 

The satisfiabihty judgment Ih^ also satisfies the following properties. 
Lemma 5 

For any interpretations /i, /2, . . . , context A, fact C, and substitution 9, 

i. if Ii □ /2 and Ii Ihs A C 6* then there exist a fact C, and substitutions 9' 
and s.t. h Ihs A ► C ► 61', 6'|j.v(a) = [9' o a)|^^(A), C'6''(t ^ C9; 

ii. if /i C /2 E . . . and {J"^-^ k ll^s A C 6* then there exist A: G N, a fact C, 
and substitutions 9' and cr s.t. Ik Ihg A>-C'>-(?', 6'|j7y(A) — {(^' ° '^)\fv{A)' 
C'9'a 4 C9. 



Proof 

See Appendix [Appendix B| □ 

We are now ready to define the abstract fixpoint operator Sp -.1^1. We will 
proceed in two steps. We will first define an operator working over interpretations 
(i.e., elements of p{HB{P))). With a little bit of overloading, we will call the op- 
erator with the same name, i.e., Sp. This operator should satisfy the equation 
|S'p(/)] = rp(|/]) for every interpretation /. This property ensures soundness and 
completeness of the symbolic representation. 

After defining the operator over p{HB{P)), we will lift it to our abstract domain 
T consisting of the equivalence classes of elements of p{HB{P)) w.r.t. the relation 
~ defined in Definition 15. 61 Formally, we first introduce the following definition. 

Definition 5.11 {Symbolic Fixpoint Operator Sp) 

Given an LOy program P and an interpretation /, the symbolic fixpoint operator 
Sp is defined as follows: 

Sp{I) = {(H + C)9 \{H^ G) EVrn{P), / Ihsp G>^C>^9}. 

Note that the Sp operator is defined using the judgment Ih^p- 

Proposition El states that Sp is sound and complete w.r.t Tp. In order to prove 
this, we need to formulate Lemma El below. 
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Notation Let P be an LOy program, and S, Si € Sigp be two signatures such that 
El C S. Given a fact C, defined on E, we use [C]s^bi to denote any fact which 
is obtained in the foUowing way. For every constant (eigenvariable) c G (E\Ei), 
pick a new variable in V (not appearing in C), let it be Xc (distinct variables must 
be chosen for distinct eigenvariables). Now, [C]b^si is obtained by C by replacing 
every c G (E\Ei) with Xc. For instance, if C = {p{x, f{c)), q{y, d)}, with c G (E\Ei) 
and d G Ei, we have that [C]s^sj = {p{x,f{xc)), q{y, d)}. 

Given a context (multiset of goals) A, defined on E, we define [A]^^!;! in 
the same way. Similarly, given a substitution 9, defined on E, we use the no- 
tation to denote the substitution obtained from 9 by replacing every 
c G (E\Ei) with a new variable Xc in every binding of 0. For instance, if = 
[u ^ p{x,f{c)),v ^ q{y,dy\, with c G (E\Ei) and d G Ei, we have that 
[6*12^1:1 = [m t-^ p{xj{xc)), V ^ q{y, d)]. 

Using the notation |/] \=j2^ [A]j;^ei *" rC]i;^sj we mean the judgment obtained 
by replacing every c G (E\Ei) with Xc simultaneously in A and C. Newly introduced 
variables must not appear in A, C, or /. 

When E and Ei are clear from the context, we simply write [C], [A], and {91 
for [Cls^si, [Als^Ei, and 191 j^^^:^. 

Finally, we use (or simply ^ if it is not ambiguous) to denote the substitu- 

tion which maps every variable Xc back to c (for every c G (E\Ei)), i.e., consisting 
of all bindings of the form Xc ^ c for every c G E\Ei. Clearly, we have that 
\F~\^ = F, for any fact or context F, and {9^ o = 9 for any substitution 9. 

Note that, by definition, [C]s^sj and [A]j;^sj are defined on Ei, while fsj^s is 
defined on E. 

Lemma 6 

Let P be an LOv program, / an interpretation, and E, Ei G Sigp two signatures, 
with El C E. 

I. If / Ihsi A C ► 6* then / Ihs A ► C 6*; 

II. If |/1 hs A .-C then |/1 hs^ [AI.^b, - [Cl,^,,. 

Proof 

See Appendix [Appendix B| □ 

Proposition 5 

For every LOy program P and interpretation /, |S'p(/)] = Tp(|/]). 
Proof 

lSp{i)} c rp(|/]). 

We prove that for every E G Sigp, |5p(/)]s C Tp(|/])s. Assume {H+C)9 G Sp{I), 
with H G a variant of a clause in P and / Ihs^ G*- C*- 9. Assume also that A = 
i{H + C)9 + V)9' G Inst^iUp^iSpil))) = [Sp(/)1e. We have that / Ihs^ G-C-9 
implies / Ih^ G 9 hy item i of Lemma El (remember that Ep C E). Therefore, 
by item i of Lemma H we get [/] G99' - C'9' for any fact C ^ C9. Taking 
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C =Ce + V, it follows that |/] 009' - COO' + VO' . Therefore, by definition of 
Tp, we have HOO' +099' + V9' e (Tp(|/1))e, i.e., A e {TpHlj))^. 

TpM) ^ lSp{I)l 

We prove that for every S e Sigp, Tp(|/])e C I6'p(/)]s. Assume A G (Tp(|/]))s. 
By definition of Tp, there exist a variant of a clause 77 G in P, a fact C and a 
substitution 6* (defined over E) s.t. ^ = /^e* + C and |/] |=s ^6* C. 

By item m of Lemma we have that |/] |=s G9-C implies |/] [^61] \C] 

(hereafter, we use the notation [•] for [•^s-.sp)- From H o- G m P, we know that G 
is defined on Sp. It follows easily that \G9~\ ^ G\9], so that |/] \=^^ G\9~\ - [C]. 
By item ii of Lemma 0] there exist a fact C , and substitutions and a (defined 
over Sp) s.t. /Ihsp G^CV0', r^li^^.^^) = (^^' ° ^)|py(G)' andC'9'a4 \C]. 

By definition of Sp, we have (i/ + C')9' e Sp{I). 

Now, = //e'+C = [6*]^+ [C]C = (note that by hypothesis 9'oa and \9~\ coincide 
for variables in G, and are not defined on variables in H which do not appear in G 
because H G is a variant) H9'a^ + \C]^ > H9'a^ + C'9'a^ = {{H + C')9')a^ e 
liH + C')9'}^ClSp{I)j^. □ 

The following corollary holds. 

Corollary 1 

For every LOy program P and interpretations / and J, if / ~ J then Sp{I) ~ 
Sp{J). 

Proof 

li I 2:i J, i.e., |/1 = |J], we have that Tp(|/1) = Tp{lJ]). By Proposition it 
follows that lSp{I)j = lSp{J)], i.e., Sp{I) ~ Sp{J). □ 

CoroUarynallows us to safely lift the definition of Sp from the lattice {p{HB (P)) , C) 
to {2, C). Formally, we define the abstract fixpoint operator as follows. 

Definition 5.12 {Abstract Fixpoint Operator Sp) 

Given an LOv program P and an equivalence class [/]~ of I, the abstract fixpoint 
operator Sp is defined as follows: 

5p([/].) = [^P(/)]. 

where Sp{L) is defined in Definition 15. Ill 

For the sake of simplicity, in the following we will often use / to denote its class [/]~, 
and we will simply use the term (abstract ) interpretation to refer to an equivalence 
class, i.e., an element of X. The abstract fixpoint operator Sp satisfies the following 
property. 

Proposition 6 {Monotonicity and Continuity) 

For every LOy program P , the abstract fixpoint operator Sp is monotonic and 
continuous over the lattice (X, 
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Proof 

Monotonicity. 

We prove that if / C J, then Sp{I) C Sp{J), i.e., [Sp{I)l C [Sp{J)l. To prove the 
latter condition, we will use the characterization given by Proposition^ Assume 
A = {H + C)9 e Sp{I), with H G a variant of a clause in P and / Ihsp G*-C*- 6. 

By item i of Lemma there exist a fact C, and substitutions 9' and a (note 
that they are defined over Ep) s.t. J Ihsp G *■€'*■ 9', 6'|py(G) — ° ^)|Fy(G)' 
C'6'V =^ C9. Let 06* = C'6''cr + V, with P a fact defined over Ep. By definition of 
Sp, B={H + C')9' e 5'p(J). 

Now, {H + C)9 ^ H9 + C9 ^ H9'a + C'9'a + V (note in fact that by hypothesis 
9' a and 9 coincide for variables in G, and are not defined on variables in H which 
do not appear in G because _ff o— G is a variant). Therefore, we have that A = 
H9'a + C'9'a + V = Ba + V. 

Continuity. 

We show that Sp is finitary, i.e., ii h ^ h ^ ■ ■ ■, then 5'p(|J^-^ li) C Ui^i Spili), 
i.e., |'5'p(|J^]^ li)} C IIJ^j^ Sp{Ii)]. Again, we will use the characterization given 
by Proposition^] Assume A ^ {H + C)9 G "^pdJi^i with H G a variant of 
a clause in P and Ui^i '^s^ G*-C*- 9. 

By item ii of Lemma|E| there exist fc e N, a fact C, and substitutions 9' and cr (note 
that they are defined, over Sp) s.t. Ik G^C^^6\ ^\fv{G) — '^)|Fy(G)' 

C'6'V =^ C6'. Let C9 = C'9'a + V, with V a fact defined over Ep. By definition of 
Sp,B^(h +C')9' e Sp{Ik). 

Exactly as above, we prove that A^ [H +C)9 ^ H9'a + C'9'a + V ^ Ba + V. □ 
Corollary 2 

For every LOy program P, (IfpiSp)] = lfp{Tp). 

Let !Fsym{P) — lfp{Sp), then we have the following main theorem. 

Theorem 2 {Soundness and Completeness) 

For every LOy program P, 0{P) = F{P) = {Tsy^iP)}^,. 

Proof 

From Theorem Hand Corollary |21 □ 

The previous results give us an algorithm to compute the operational and fixpoint 
semantics of a program P via the fixpoint operator Sp . 

Example 5.13 

Let us consider a signature with a constant symbol a, a function symbol / and pred- 
icate symbols p, q, r, s. Let V be a denumerable set of variables, and u,v,w, . . . & V. 
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Let us consider the program P given below. 

1. r{w) o- q{f{w)) 

2. s{z) <:^\/x.p{f{x)) 

3. _L q{u) & r{v) 

4. p{x)^ q{x) 

From clause 4, and using the first rule for Ih^p, we get 5'p(0) — [{{p{x), g(a;)}}]~. 
For simplicity, we omit the class notation, and we write 

SpU^Spm^{{p{x),q{x)}}. 

We can now apply the remaining clauses to the element / ~ {p(x), q{x)} (remem- 
ber that 5'p([/]~) = [Sp{I)]^). From the first clause (see Example I5.10|) we have 
I I^Ep q{fiw'))>'p{x')> [x'^f{w')]. It follows that {r{w'), pix'))[x' ^ /(w')] = 
r{w'),p{f{w')) e Sp^2- As the reader can verify (see discussion in Example l5.10|l . 
clause 2 does not yield any further element, and the same holds for clause 3, there- 
fore (changing w' into y for convenience) 

Sph={{p{x),q{^)}Ariv),p{fiv))}}- 

Now, we can apply clause 3 to the elements in Sp^2- According to Example lS.lOl we 
have that / Ihs^ g(u') & r{v') ► p{x"') - [u' ^ f{y'), v' ^ y' , x'" ^ f{y')]- There- 
fore we get that {p{x"'))[u' ^ fiy'),v' ^ y',x"' ^ fiy')] = p{f{y')) G SpU 
Clause 2 cannot be applied yet, for the same reasons as above. Also, note that the 
element r{y),p{f{y)) is now subsumed by p{f{y')). Therefore we can assume 

Sph-{{p(.^),qix)},{p{fiy'm- 

Finally, we can apply clause 2 to S'pts, using the V-rule for the Ih^p judgment. 
Take c ^ Ep, and consider a renaming of the last element in S'p ta, p{f{y"))- 
Consider (a renaming of) clause 2, s{z') o— \/x.p{f {x)). We have that / lhsp,c 
p(f(c)) €*■ nil, with nil being the empty substitution. Therefore we get that / Ih^p 
\/x.p{f{x)) *■ e*- nil, from which s(z') G <S'pt4. The reader can verify that no further 
clauses can be applied and that Sp^^ is indeed the fixpoint of Sp , therefore we have 
that 

SpU^ SpU^ {{p{^), q{x)}, {p{f{y'))}, {s{z'm. 
Note that F{P) is defined to be llfp{Sp)lj2p, therefore it includes, e.g., the elements 
s(a) (see ExampleEHI, Pififiv"))) and p(/(/(2/"))), qi^")- □ 

6 Ensuring Termination 

In general the symbolic fixpoint semantics of first order LO programs is not com- 
putable (see also the results in IjCervesato et al. 1999 )). In fact, the use of first order 
terms can easily lead to LO programs that encode operations over natural numbers. 
In this section, however, we will isolate a fragment of LOv for which termination of 
the bottom-up evaluation algorithm presented in Sectionals guaranteed. An appli- 
cation of these results will be presented in Section First of all, we will introduce 
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some preliminary notions that we will use later on to prove the decidability of our 
fragment. 

6.1 The Theory of Well Quasi- Orderings 

In the following we summarize some basic definitions and results on the theory 
of well quasi-orderings jHigman 1952| iMilner 19851 lAbduUa et al. 1996|l . A quasi- 
order C on a set ^ is a binary relation over A which is reflexive and transitive. In 
the following it will be denoted E). 

Definition 6.1 {Well Quasi- Ordering) 

A quasi-order {A, C) is a well quasi-ordering (wqo) if for each infinite sequence 
oq ai 02 ... of elements in A there exist indices i < j such that aj !E a^.^ 

We have the following results, according to which a hierarchy of well quasi-orderings 
can be built starting from known ones. In the following r will denote the set 
{1, . . . , r}, r being a natural number, and \w\ the length of a string w. 

Proposition 7 {From \Higman 

i. If ^ is a finite set, then {A, =) is a wqo; 

a. let {A, C) be a wqo, and let denote the set of finite multisets over A. Then, 
(^■', C*) is a wqo, where is the quasi-order on ^4^* defined as follows: given 
S = {«!, . . . , a„} and S' = {hi, . . . , 6,.}, S' C'* S if and only if there exists an 
injection h : n —^r such that C aj for 1 < j < n; 
Hi. let {A, C) be a wqo, and let A* denote the set of finite strings over A. Then, 
{A*, C*) is a wqo, where □* is the quasi-order on A* defined in the following 
way: w' C* w if and only if there exists a strictly monotone (meaning that 
ji < h if and only if < h{i2)) injection h : \w\ \w'\ such that 

w'{h{j)) □ w{j) for 1 < J < \w\. 

We are ready now to study the class of monadic LOy specifications. 

6.2 Monadic LOy Specifications 

The class of specifications we are interested in consists of monadic predicates with- 
out function symbols. Intuitively, in this class we can represent process that carry 
along a single information taken from a possibly infinite domain (universal quan- 
tification introduces fresh names during a derivation). 

Definition 6.2 {Monadic LOy Specifications) 

The class of monadic LOy specifications consists of LOy programs built over a 
signature S including a finite set of constant symbols no function symbols, and 
a finite set of predicate symbols V with arity at most one. 

^ Note that our C operator corresponds to the □ operator of lAbduUa and Jonsson 20011 . Here 
we adhere to the classical logic programming convention. 
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Definition 6.3 {Monadic Multisets and Interpretations) 

The class of monadic multisets consists of multisets of (non ground) atomic formulas 
over a signature S including a finite set of constant symbols £, no function symbols, 
and a finite set of predicate symbols V with arity at most one. An interpretation 
consisting of monadic multisets is called a monadic interpretation. 

Example 6.4 

Let E be a signature including a constant symbols a, no function symbols, and 
predicate symbols p, q and r (with arity one), and s (with arity zero). Let V be a 
denumerable set of variables, and x,y, . . . £ V. Then the clause 

p{x) ^ q{x) ^ r{x) ^ s o- {p{x) ^ p(a)) & Vu r{v) 

is a monadic LOy specification, and the multiset {p{x), q{y), q{x), s} is a monadic 
multiset. □ 

We have the following result. 

Proposition 8 

The class of monadic multisets is closed under applications of Sp, i.e., for every 
interpretation /, if / is monadic then Sp{I) is monadic. 

Proof 

Immediate by Definition 15 . 1 II and Definition 15. 91 □ 

Following Proposition 01 we define the entailment relation between multisets of 
(non ground) atomic formulas, denoted C™, as follows. For the sake of simplicity, 
in the rest of this section we will apply the following convention. Consider a monadic 
multiset. First of all, we can eliminate constant symbols by performing the following 
transformation (note that there are no other ground terms other than constants in 
this class). For every atom p(a), where p is a predicate symbol with arity one and 
a is a constant symbol in E, we introduce a new predicate symbol with arity zero, 
let it be Pa, and we transform the original multiset by substituting pa in place 
of p{a). The resulting set of predicate symbols is still finite (note that the set of 
constant and predicate symbols of the program is finite). It is easy to see that 
entailment between multisets transformed in the above way is a sufficient condition 
for entailment of the original multisets (note that the condition is not necessary, 
e.g., I cannot recognize that p{a) entails ^(2;)). 

Without loss of generality, we assume hereafter to deal with a set of predicate 
symbols with arity one (if it is not the case, we can complete predicate with arity 
less than one with dummy variables) and without constant symbols (otherwise, we 
operate the transformation previously described). 

Definition 6.5 

Given two multisets A and B, A C™ B if and only if there exist a substitution 
and a multiset C such that A = B9 + C. 

Then, we have the following property. 
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Proposition 9 

liAQ'^B then [A} C {B}. 
Proof 

It follows from Definition 15 . 61 and Proposition 0J □ 

Let be a monadic multiset with variables Xi,...,Xk- We define Mi as the 
multiset of predicate symbols having Xi as argument in M, and S{M) as the 
multiset {Mi,...,Mk}. For instance, given the monadic multiset Ai defined as 
{p{xi), q{xi), p{xi), q(x2), r{x2), qix^), r(x3)}, S(A4) is the multiset consisting of the 
elements Mi = ppq, M2 = qr, and M3 = qr, i.e., S(A4) = {ppq, qr, qr} (where ppq 
denotes the multiset with two occurrences of p and one of q, and so on). 

Given two multisets of multisets of predicate symbols S ~ {Mi, M2, . . . Mk} and 
T = {Ni, N2, ■ ■ ■ , Nr}, let S C'' T if and only if there exists an injective mapping 
h from {1, . . . , r} to {1, . . . , fc} such that Ni M/j(i) for i : 1, . . . , r. As an exam- 
ple, {ppp, tt, qq, rrr} [pp, q, rr} by mapping: pp into ppp [pp =^ ppp), q into qq 
{q =<; qq), and rr into rrr {rr =<! rrr). On the contrary, {ppp, rr, t, qq} {pq, q, rr}, 
in fact there is no multiset in the set on the left hand side of the previous relation 
of which pq is a sub-multiset. 

The following property relates the quasi order n." and the entailment relation C™. 
Lemma 7 

Let M and Af be two monadic multisets. Then S{M) S{Af) imphes M Af. 
Proof 

Let S{M) = {Ml, M2, . . . Mk} and S{J\f) ^ {Ni, N2, . . . , N^}. Furthermore, let h 
be the injective mapping from {1, . . . , r} to {!,..., k} such that Ni =<; M^t^iy By 
construction of M and N , it is easy to see that for every i G {l,...,r} we can 
isolate atomic formulas An, . . . , Aiz in TV (corresponding to the cluster of variables 
Ni), where z is the cardinality of Ni, and atomic formulas Bn, . . . , Bi^ in A4 (cor- 
responding to the cluster of variables Mh(i)), such that the conditions required by 
Definition 16.51 are satisfied. □ 

As an immediate consequence of this lemma, we obtain the following property. 
Proposition 10 

The entailment relation C™ between monadic multisets is a well-quasi-ordering. 
Proof 

The conclusion follows from the observations below (in the following we denote by 
)^ the converse of the sub-multiset relation, i.e., A)p B \i and only ii B ^ A): 

- the )p relation is a well quasi- ordering by Dickson's Lemma (which is a consequence 
of Proposition 13 see also l|Dickson 1918|l V Intuitively, multiset inclusion is equival- 
ent to the component-wise ordering of tuples of integers denoting the occurrences 
of the finite set of predicate symbols in a multiset; 
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- since □''is built over elements ordered with respect to the well quasi-ordering ;>=, 
C** is in turn a well quasi-ordering by item ii of Proposition Q 

- as a consequence of Lemma E'' being a well quasi-ordering implies that is a 
well quasi-ordering. 

□ 

We can now formulate the following proposition, which states that the bottom- 
up fixpoint semantics is computable in finite time for monadic LOy specifications. 
This results relies on the following facts: in the case of monadic specifications, each 
interpretation computed via bottom-up evaluation consists of monadic multisets, 
and the entailment relation between monadic multisets is a well quasi-ordering 
(therefore eventually the fixpoint computation stabilizes). 

Proposition 11 

Let P be a monadic LOy specification. Then there exists A; G N such that J-sym{P) 

= UUSp]k (0). 

Proof 

We first note that the denotation of a monadic interpretation / is defined in terms 
of the denotation of its elements (monadic multisets). Thus, a monadic interpre- 
tation / represents an upward closed set w.r.t. to the ordering C™. Furthermore, 
the sequence of interpretations computed during a fixpoint computation forms an 
increasing sequence with respect to their denotation. The result follows then from 
Propositions |H1 El HOI and known results on well quasi-orderings which guarantee 
that any infinite increasing sequence of upward-closed sets eventually stabilizes (see 
l|FiTikel a,nd Schnoehelen 20?)^ □ 

7 An Example 

In this section we show how the bottom- up semantics of Section [S] can be applied 
for verifying the test-and-lock protocol given in Section 13.21 In order to run the 
experiments described hereafter, we have built a prototypical verification tool im- 
plementing the bottom-up fixpoint procedure (backward reachability algorithm) 
described in Section [S] Following the guidelines and programming style described 
in ( [Elliott and Pfenning 1991| ), we have implemented an interpreter for the relevant 
first order fragment of LO, enriched with the bottom- up evaluation procedure de- 
scribed in Section [S] The verification tool has been implemented in Standard ML. 
Let us consider again the test-and-lock protocol given in Section 13.21 Using our 
verification tool, we can now automatically verify the mutual exclusion property 
for the protocol. The specification of unsafe states is simply as follows: 

8. use(x) ^ use{x) o~ T 

Note that the test-and-lock specification can be transformed into a monadic one. In 
fact, the second argument can be embedded into the predicate m so as to define the 
two predicates niuniocked and miocked- In some sense, the specification is implicitly 
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T, 

P l-E init, T, m(a, locked), m{a, locked) 

P \-E init, use{a), use{a), m{a, locked), m{a, locked) 

P hs init, wait{a), wait{a), m{a, unlocked), m{a, unlocked) 

6c(4*' 

P hs init, think, think, m{a, unlocked), m{a, unlocked) 

6c(2*) 

P l-E init, think, think 

P hs init 

Fig. 6. Incorrect test-and-lock protocol: a trace violating mutual exclusion 
{init} 

{use{x), use{x)} 

{m{x, unlocked), use{x), wait{y)} 

{m{x, unlocked), use{x), use{y), m{y, locked)} 

{m{x, locked), use{x), m{y , unlocked) , m{y , unlocked) , think} 

{m{x, unlocked), m{x, unlocked), wait{y), think} 

{m{x, unlocked), m{x, unlocked), use{y), m{y, locked), use(z), m{z, locked)} 
{m{x, unlocked), m{x, unlocked), use{y), m{y, locked), wait{z)} 
{wait{x), m{y , unlocked) , m{y, unlocked), wait{z)} 
{m{x , unlocked) , m{x, unlocked), think, think} 
{use{x), m{x, unlocked), think} 

Fig. 7. Fixpoint computed for the incorrect test-and-lock protocol 

monadic since the second argument is defined over a finite set of states. Therefore 
termination of the fixpoint computation is guaranteed by Proposition ^2 Running 
the verification algorithm, we actually find a mutual exclusion violation. The cor- 
responding trace is shown in Figure El where bc^"^ ^ denotes multiple applications 
of clause number i. The problem of the above specification lies in clause 2: 

2. init o— init ^ m{x, unlocked) 

In fact, using an (externally quantified) variable x does not prevent the creation of 
multiple monitors for the same resource. This causes a violation of mutual exclusion 
when different processes are allowed to concurrently access a given resource by 
different monitors. Figure \7\ (where, for readability, we re-use the same variables 
in different multisets) also shows the fixpoint computed for the incorrect version 
of the protocol: note that the singleton multiset containing the atom init is in the 
fixpoint (this amounts to saying that there exists a state violating mutual exclusion 
which is reachable from the initial configuration of the protocol). 

Luckily, we can fix the above problem in a very simple way. As we do not care 
about what resource identifiers actually are, we can elegantly encode them using 
universal quantification in the body of clause 2, as follows: 

2'. init o— init ^\/x.m{x, unlocked) 
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P c d use{c), wait{d), think, m{c, locked), m{d, unlocked) 

6c(«) 

-P l~E c d wait[c), wait(d), think, m{c, unlocked), m[d, unlocked) 

^ 6c<^) 

-P l~E c d wait{c), wait{d), use{c), m(c, locked), m(d, unlocked) 

6c(«) 

P l~E c d wait{c), waited), wait{c), m{c, unlocked), m{d, unlocked) 

6c(*) 

f l~E c d think, wait{d), wait{c), m{c, unlocked), m{d, unlocked) 

6c(4) 

-P l~E c d think, think, wait{c), m{c, unlocked), m{d, unlocked) 

6c(*) 

P l~E c d think, think, think, m{c, unlocked), m{d, unlocked) 

6c(3) 

P l~E c d init, think, think, think, m{c, unlocked), m{d, unlocked) 

6c(2'*) 

P l-E init, think, think, think 

bc<-''^ 

P |-E init 

Fig. 8. A correct version of the test-and-lock protocol: example trace 



{use{x), use{x)} 

{m{x, unlocked), use{x), imt} 

{m(x , unlocked) , use{x), wait{y)} 

{m[x , unlocked) , use{x), use{y), m{y, locked)} 

{m(x , locked) , use{x), m{y, unlocked), m{y , unlocked) , think} 

{m{x, unlocked), m{x, unlocked), wait{y), think} 

{m{x, unlocked), m{x, unlocked), use{y), m{y , locked) , use(z), m{z, locked)} 

{m{x, unlocked), m{x, unlocked), use{y), m{y , locked) , wait{z)} 

{wait{x), m{y , unlocked) , m{y, unlocked), wait{z)} 

{m{x, unlocked), m{x, unlocked), init} 

{m{x, unlocked), m{x, unlocked), think, think} 

{use{x), m{x, unlocked), think} 

Fig. 9. Fixpoint computed for the correct test-and-lock protocol 



Every time a resource is created, a new constant, acting as the corresponding iden- 
tifier, is created as well. Note that by the operational semantics of universal quan- 
tification, different resources are assigned different identifiers. This clearly prevents 
the creation of multiple monitors for the same resource. An example trace for the 
modified specification is shown in Figure |S1 (where P is the program consisting of 
clauses 1, 2', 3 through 8 (see Section ) . 

Now, running again our verification tool on the corrected specification (termina- 
tion is still guaranteed by Proposition II f|) . with the same set of unsafe states, we 
get the fixpoint shown in Figurc|51 The fixpoint contains 12 elements and is reached 
in 7 steps. As the fixpoint does not contain init, mutual exclusion is verified, for 
any number of processes and any number of resources. 

We conclude by showing how it is possible to optimize the fixpoint computation. 
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{use{x) , use{x)} 
{m{x,y) ,m{x,z)} 

{m{x , unlocked) ,use{x) ,use{y) ,m{y,z)} 

{m{x, unlocked) ,use{x) ,wait{y)} 

{m(x, unlocked) ,use{x) ,init} 

{use{x) , m{x, unlocked) , think} 

Fig. 10. Fixpoint computed using invariant strengthening for the test-and-lock pro- 
tocol 

SpecificaUy, we show that it is possible to use the so called invariant strengthening 
technique in order to reduce the dimension of the sets computed during the fixpoint 
evaluation. Invariant strengthening consists of enlarging the theory under consider- 
ation with new clauses (e.g., additional clauses representing further unsafe states). 
We remark that this technique is perfectly sound, in the sense that if no property 
violations are found in the extended theory, then no violations can be found in the 
original one (i.e., proofs in the original theory are still proofs in the extended one). 

One possibility might be to apply the so-called counting abstraction, i.e., turn 
the above LOv specification into a propositional program (i.e., a Petri net) by 
abstracting first order atoms into propositional symbols (e.g., wait{x) into wait, 
and so on), and compute the structural invariants of the corresponding Petri net. 
However, this strategy is not helpful in this case (no meaningful invariant is found). 
We can still try some invariants using some ingenuity. For instance, consider the 
following invariant: 

9- m{x,y)^ ■m{x, z) o- T 

For what we said previously {different resources are assigned different identifiers) 
this invariant must hold for our specification. Running the verification tool on this 
extended specification we get the fixpoint in Figure Uni containing only 6 elements 
and converging in 4 steps. A further optimization could be obtained by adding 
the invariant use{x) ^ m(x, unlocked) o~- T (intuitively, if someone is using a given 
resource, the corresponding semaphore cannot be unlocked). In this case the com- 
putation converges immediately at the first step. 

8 Reachability and Extensions of LO 

In this paper we have focused our attention on the relationship between provability 
in LO and coverability for the configuration of a concurrent system. 

Following |Bozzano et al. 2002(1 . in order to characterize reachability problems 
between two "configurations" (goal formulas) we need an extra feature of linear 
logic, namely the logical constant 1. Differently from clauses with T, clauses of the 
form Ai^ ... An o- 1 make a derivation succeed if and only if the right-hand 
side of the current sequent matches an instance of ^ . . . ^ An, i.e., all resources 
must be used in the corresponding derivation. 

Going back to the notation used in Section im let P be a set of LO rewrite rules 
over E and V, and M,M' two multisets of ground atomic formulas (two config- 
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Ir 

P,D ^s.cl 

6c(^) 

P,Dh^,,p{f{a)),p{f{b)),g{b),q{c) 

bc(i) 

P,Dh^p{f{a)),p{b),q{f{b)) 

Fig. 11. Reachability as provability in LOy 

urations). Furthermore, let H, G the (possibly empty) ^-disjunctions of ground 
atomic formulas such that H = Jv[' and G = Jv[. Then, the provability of the se- 
quent f, 77 1 hi G precisely characterizes the reachability of configuration Ai' 
from the initial configuration A4 via a sequence of multiset rewriting steps defined 
over the theory P (see l|Bozzano et al. 2002|l ^. Again, this is a straightforward con- 
sequence of the properties of clauses like H o-l and of the fact that, when working 
with LO rewrite rules, derivations have no branching. 

Example 8.1 

Let us go back to Example 13.101 of Section 13.11 (compare the definitions of the 
formulas Fi and F2 given there). Let F[ be the formula 

p{a)^p{!{!{h))) ^ q{h) ^ q{h) ^ q{f{f{h))) o~ 1 

and F2 be the formula 

p{a)^q{h) 1 

and G = p{a)^ p{b)^ q{f{b)). If we enrich P with F{, instead of Fi, then we 
can transform the partial derivation of Figure |3 into an LO proof as shown below 
(where 6 stands for the derivation fragment of Figure ^ : 

Phsl 

be 

6 

The resulting LO proof also shows that from the multiset {p{a), p{b), q{f{b))} we 
can reach the multiset {p{a), p(/ (/(&))), ?(&), q{b), ?(/(/(&)))} after a finite number 
of rewriting steps defined in accordance with P. Note that on the contrary (compare 
with Example I3.1U|I . if we enrich P with F2, it is not possible to turn the partial 
derivation of Figure |31 into an LO proof. In fact, every rewriting step will give us 
larger and larger multisets and the formula F2 never becomes applicable. □ 

Particular attention must be paid to the constants introduced in a derivation. They 
cannot be extruded from the scope of the corresponding universal quantifier. For 
this reason, the formulas representing target configurations must be generalized 
by introducing universally quantified variables in place of constants introduced in 
a derivation. For the sake of brevity, we will illustrate the connection between 
provability and reachability in the extended setting through the following example. 
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transition 
current state 
initial state 
single final state 
upward-closed set of states 
reachability 
Pre operator 
Pre* operator 

Fig. 12. Reachability versus provability 



LO program and proof system 
rule instance 
goal formula 
initial goal 
axiom with 1 
axiom with T 
provability 
Tp operator 
lfp{Tp) 



Example 8.2 

Let S be the signature of Example IH.IOI Let P consists of the clause 

I. p{x) ^ q{f{y)) o- V™. {p{f{x)) ^ q{y) ^ q{w)) 

Now, let D be the clause Va;. p(/(a)) J? p(/(6)) ^ g(&) ^ g(a;) 1, and let G be the 
goal p{f{a)) ^ p{h) ^ q{f{h)). The universal quantifier is used here to generalize the 
representation of the target configuration. In fact, new constants will be introduced 
and associated to the predicate q in the derivation of the goal G. As an example, 
a possible derivation is shown in Figure 1111 (where we have omitted applications 
of the ^ r rule for simplicity) . The last backchaining step in Figure 1111 is possible 
because of the universal quantifier used in _D. It would not be possible to define D 
as p{f{a)) ^ p{f{b)) ^ q(b) ^ q{c) o- 1. In fact, the resulting initial sequent would 
violate the side condition of the Vr proof rule that requires the freshness of the new 
constants introduced in a proof. □ 

The extension of the fixpoint semantics presented in this paper to more general 
linear logic languages (e.g., languages that include 1) is a possible future direction 
for our research. 



9 Conclusions 

In this paper we have investigated the connections between techniques used for sym- 
bolic model checking of infinite-state systems (jAbduUa et al. 1996 : Fi nkel and Schnoebelen 200 l|l 
and provability in fragments of linear logic IjAndreoli and Pareschi 1990|l . The rela- 
tionship between the two fields is illustrated in Figure nH From our point of view, 
linear logic can be used as a unifying framework for reasoning about concurrent 
systems (e.g., Petri Nets, multiset rewriting, and so on). In (Bozz ano et al. 2002|l . 
we have applied algorithms previously developed for Petri Nets in order to derive 
bottom-up evaluation strategies for proposition linear logic. Conversely, in the cur- 
rent paper we have shown that the use of linear logic and the related bottom- up eval- 
uation strategies can have interesting application for the automated verification of 
infinite-state systems in which processes are described via colored formulas. Several 
applications of the ideas presented in this paper can be found in (|Bozzano 2002|l . 
and (,Bozzano and Delzanno 2002,1 . 
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Apart from verification purposes, the new fixpoint semantics can also be useful 
to study new applications of linear logic programming (e.g., for active databases as 
discussed in IjHarland and Winikoff 1998|l ). For this purpose, it might be interesting 
to extend the bottom-up evaluation framework to richer linear logic languages. 
Possible directions of research include languages with a richer set of connectives 
(e.g., Linlog IjAndreoH 1992|l '). or languages with more powerful type theories (e.g., 
LLF ( ICervesato and Pfenning 2002D ). 
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Appendix A Some Notations 

Multisets A multiset with elements in D is a function M. : D ^f^.li d E D and 
is a multiset on D, we say that d G if and only \i AA{d) > 0. For convenience, we 
often use the notation for sets (allowing duplicated elements) to indicate multisets, 
when no ambiguity arises from the context. For instance, {a, a, 6}, where a,b € D, 
denotes the multiset M such that M{a) — 2, M{b) — 1, and M{d) = for all 
d G D\{a,b}. Sometimes we simply write a,a,b for {a, a, &}. Finally, given a 
set D, A4S{D) denotes the set of multisets with elements in D. We define the 
following operations on multisets. Let £> be a set, A^i, A^2 G AiS{D), and n e N, 
then: e is defined s.t. e{d) = for all d € D {empty multiset); {Mi + M2){d) = 
Mi{d) + M2{d) for all d e D {union); {Mi\M2){d) = max{0, Mi{d) - M2{d)} 
for all d e D {difference); {Mi Ci M2){d) = min{Mi{d), M2{d)} for all d e D 
{intersection); {n-M){d) = nM{d) for all d e _D {scalar product); Mi ^ M2 if and 
only if there exists d ^ D s.t. Mi{d) ^ M2{d) {comparison); Mi ^ M2 if and only 
ifMi{d) < M2{d) for all d e D {inclusion); {Mi»M2){d) = max{Mi{d), M2{d)} 
for all d E D {merge); \Mi\ = T^deDMi{d) {cardinality). We use the notation of a 
formal sum £ j Mi to denote the union of a family of multisets Mi, with i G I , 
I being a finite set. It turns out that {MS{D), =4) has the structure of a lattice (the 
lattice is complete provided a greatest element is added). In particular, merge and 
intersection are, respectively, the least upper bound and the greatest lower bound 
operators with respect to the multiset inclusion operator 

Signatures Given a set of formulas P, we denote by Sp the signature comprising 
the set of constant, function, and predicate symbols in P. We assume to have an 
infinite set V of variable symbols, usually noted x, y, 2, etc. In order to deal with 
signature augmentation (due to the presence of universal quantification over goals) 
we also need an infinite set E of new constants (called eigenvariables) . We denote by 
Sigp the set of signatures which comprise at least the symbols in Sp (and possibly 
some eigenvariables). 

denotes the set of non ground terms over S, i.e., the set of terms built over 
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YiU V where F is a denumerable set of variables. (A non ground term may have 
free variables; a ground term is also non ground). 

denotes the set of non ground atoms over S, i.e., atomic formulas built over 
non ground terms over E. 

Multisets of atoms over are also called facts throughout the paper, and usually 
noted A, B, C, . . .. 

Substitutions and Multiset Unifiers We inherit the usual concept of substitution 
(mapping from variables to terms) from traditional logic programming. We always 
consider a denumerable set of variables V, and substitutions are usually noted 6, a, 
T, . . . We use the notation [a; t, . . where a; is a variable and Hs a term, to denote 
substitution bindings, with nil denoting the empty substitution. The application of 
a substitution 9 to F, where F is a generic expression (e.g., a formula, a term, . . . ) 
is denoted by F9. A substitution 6 is said to be grounding for F if F9 is ground, in 
this case F9 is called a ground instance of F. Composition of two substitutions 9 
and cr is denoted 9oa, e.g., F{9oa) stands for {F9)a. We indicate the domain of a 
substitution 9 by Dom{9), and we say "9 defined on a signature E" meaning that 9 
can only map variables in Dom{9) to terms in T^. Substitutions are ordered with 
respect to the ordering < defined in this way: 6* < t if and only if there exists a 
substitution a s.t. t = 9 o a. \i 9 < t, 9 \s said to be more general than t; if 6* < r 
and T < 9, 9 and r are said to be equivalent. Finally, FV{F), for an expression 
F, denotes the set of free variables of F, and 9^^^^ where W C V, denotes the 
restriction of 9 to Dom{9) n W. 

We need the notion of most general unifier (mgu) . The definition of most general 
unifier is somewhat delicate. In particular, different classes of substitutions (e.g., 
idempotent substitutions) have been considered for defining most general unifiers. 
We refer the reader to IjEder 19 85 L assez et al. 1 988 Palamidessi 1990|) for a dis- 
cussion. Most general unifiers form a complete lattice with respect to the ordering 
<, provided a greatest element is added. For our purposes, we do not choose a par- 
ticular class of most general unifiers, we only require the operation of least upper 
bound of two substitutions w.r.t < to be defined and effective. The least upper 
bound of 6*1 and 02 is indicated 9i ^92. We refer the reader to l|Palamidessi 1990|l 
for the definition of the least upper bound. The only property which we use in this 
paper is that 9i < {9i t ^2) and 6*2 < (^i T ^2), for any substitutions 9i and ^2- We 
assume t to be commutative and associative. 

We need to lift the definition of most general unifier from expressions to multisets 
of expressions. Namely, given two multisets = {ai, . . . , a„} and B = {&i, . . . , 6„} 
(note that |^| = \B\), we define a most general unifier of A and B, written 
mgu(A, B), to be the most general unifier (defined in the usual way) of the two 
vectors of expressions (ai, . . . , a„) and , . . . , where {ii, . . . , i„} is a permu- 
tation of {1, . . . , n}. Depending on the choice of the permutation, in general there is 
more than one way to unify two given multisets (the resulting class of mgu in general 
will include unifiers which are not equivalent). We use the notation 9 = mgu(A, B) 
to denote any unifier which is non deterministically picked from the set of most 
general unifiers of A and B. 
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Appendix B Proofs of Some Lemmas 

Proof of Lemma Q 

If part. By induction on the derivation of / A, C e. 

- If A = T, A', obvious; 

- if A = ^ and A + C e Is, then also I A*-C holds; 

- if A = Vx G, A' and / |=s,c G[c/ x], A' ,C *■ e, with c ^ S, then by the induc- 
tive hypothesis / |=e,c G[c/x],A' *■ C, which imphes / |=s Va;. G, A' ► C; 

- if A = Gi&G2,A', / Gi,A',C«>e and / G2,A',C«'e, by the in- 
ductive hypothesis / \=s Gi,A'*-C and / \=s G2,A'*-C, which implies 
/ hs Gi&G2,AVC; 

- if A = Gi ^ G2, A' or A = ±, A', the conclusion follows by a straightforward 
application of the inductive hypothesis. 

Only if part. By induction on the derivation of / |=s A C. 

- If A = T, A', obvious; 

- if A ^ and A + C e 1^, then also I A,C*-e holds; 

- if A = Vx. G, A' and / |=e,c G[c/a;], A' ► C, with c ^ E, then by the inductive 
hypothesis / ^s,c G[c/ x], A' ,C >■ e, which implies / |=e Vs. G, A', C ► e; 

- if A = Gi & G2, A', / Gi, A' ► C and / G2, A' ► C, by the inductive 
hypothesis / |=s Gi,A',C»-e and J \=s G2,A',C*-e, which implies / \=s 
Gi& G2, A',C«'e; 

- if A = Gi ^ G2, A' or A = ±, A', the conclusion follows by a straightforward 
application of the inductive hypothesis. 

Proof of Lemma 

i. By induction on the derivation of Ii \=y: A ► C. 

- If A = T, A', obvious; 

- if A = A and A + C (E (/i)s, then A + C <E (hh, because h C I2, 
therefore I2 |=e A*- C; 

- if A = V3;.G,A' and h hs,c G[c/x],A'-C, with c E, then by 
the inductive hypothesis I2 |=s,c G[c/2;], A' ► C, which implies I2 |=s 
Vi. G, A'-C; 

- if A = Gi & G2, A', /i h=s Gi, A' C and h G2, A' - C, by the in- 
ductive hypothesis I2 \=t, Gi, A' ► C and I2 \=s G2, A' ► C, which implies 
I2 hs Gi&G2,A'.-C; 

- if A = Gi ^ G2, A' or A = ±, A', the conclusion follows by a straight- 
forward application of the inductive hypothesis. 

ii. By induction on the derivation of [J°^i Ii |=s A*- C. 

- If A = T, A', then for every k e N, h ^1: A*- C; 

- if A = ^ and A + C e (U^^ there exists k eN s.t. A + C e (4)s, 
i.e., 4 \=sA>'C; 
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- if A = Vx.G,A' and [JZi^^ Hs,c G[c/x],A'-C, with c ^ S, then by 
the inductive hypothesis there exists e N s.t. Ik Hs,c G[c/x], A' *■ C, 
therefore 4 hs Vx. G, A' ► C; 

- if A = Gi&G2,A', U^i/. hs Gi,AVC and U^i hs G2,AVC, 
by the inductive hypothesis there exist fci, fc2 G N s.t. 4^ |=s Gi, A' C 
and /fcj G2, A'>-C By taking k = max{ki, ^2}, by i we get 4 |=s 
Gi, A' ► C and 4 G2, A' ► C, which imphes 4 Gi & G2, A' ► C; 

- if A = Gi ^ G2, A' or A = ±, A', the conclusion foUows by a straight- 
forward apphcation of the inductive hypothesis. 

Proof of Lemma^ 

i. By induction on the derivation of / Ihx; A*-C*- 9. 

- If A = T, A', obvious; 

- assume A ^ A, with Bel (variant), B' 4 B, A' ^ A, C = B\B' , and 
e = mgu{B', ^')|Fy(^.c)- We want to prove that |/] AOS' ► C'0' for 
every substitution 9' and fact C ^ CO, i.e., AOd' + COO' + Pe*' e |/]s 
for every substitution 0' and fact V. 

Now, ^e'6i'+ce'0'+p0' = {Ae+ce+v)e' = {A'9+{A\A')9+{B\B')e+ 

V)e' = (remember that B' ^ B) [A'O + (^\^')^ + {B9\B'e) + V)e' = 

Bee' + {{A\A^)ee' + p^') e |/]s; 

- if A =Va:.G,A' and I h^,c G[c/ x], A' *- C*- e, with c ^ S, then by the 
inductive hypothesis we have that 

{I} hE,c G[c/x]ee\A'ee'*c'e' 

for every substitution e' and fact C ^ Ce (where e' and C are defined 
over E, c). 

Assuming that the variable x is not in the domain oiee' (it is always pos- 
sible to rename the universally quantified variable x in Vx. G), we have 
that |/] ^s,c Gee'[c/x\,A'ee' >C'e', and, by definition of the judg- 
ment, we get '|/] yx.{Gee'),A'ee'^c'e',i.e.,ii\ {yx.G,A')ee' ^ce', 

for every substitution e' and fact C defined over S, c (and therefore also 
for every substitution e' and fact C defined over S), with C )p Ce; 

- assume A = Gi & G2, A' and / Ihs Gi & G2, A' ► C ► 6*. 

We need to prove that |/1 hs (Gi & G2, A')ee' - Ce' for every substitu- 
tion e' and fact C ^ 06*, i.e., that |/1 hs (Gi & G2,A')ee' «► C6I6'' J^6'' 
for every substitution e' and fact JF. 

By definition of Ihs, we have that there exist facts €[ =4 Ci, C2 ^ C2 
with \C[\ = IC2I, and substitutions f?i,6'2,6'3 s.t. 

e3^mgu{C[,C'2), C = Ci + (C2\C^), = (0i T ^2 T e3)|j.v(A,c) > 

/ Ihs Gi,A'»-Ci»-6'i and / Ihs G2, A' C2 " 6'2- 
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By the inductive hypothesis, we have that 

[/] hs (G'i,A')0i0i-Ci0i0i + I?i0i and 

for every substitutions 0[,9'2 and facts T>i,T>2. 

By choosing Di = (C2\C^)6'i + Ti and X>2 = (Ci\C;)6'2 + ^2, we have, 
for every substitutions 9[,6'2 and facts ^1,^2, 

llj H (G2, A')02^^- (C2 + (Ci\Cl))02^^ + ^20i- 
By definition of 6, we have that there exist substitutions 71 , 72 , 73 and 

T S.t. 

T = ^1 O 71, T = ^2 ° 72, T = ^3 O 73, and ^ = T|iry(A,C)- 

Now, let J^i be a variant of J^O' with new variables, and define the sub- 
stitution 9[ s.t. Dom{9[) = Dom{-yi o 9') U FV{Ti) (clearly these two 
latter sets are disjoint), ^^'ipojn(7ioe') = 71 o ^' and Ti9'i = T9' . Do the 
same for ^2, i-e., let it be another variant of J-9' with new variables, and 
define 9'^ in the same way, so that Dom(9'2) = Dom{'y2 o 9') U ^^(.^2), 
62\Dom(^.oe') = 72 o 9', and ^2^^ = J'O' . 

From the definition of r it follows that (Gi, A')6li0; = (Gi, A')6li7i6i' 
(Gi, A')6'^', and similarly (G2, A')6'26»^ = (G2, A')6»6''. Also, (Ci + (C2\ 
C'2))9i9[ = C9i9[ = C99'. 

We also have that (C2 + (Ci\C())(?2^?2 = (C2 + {Cr\C[))92i29' = (C2 + (Ci\ 
C[))t9' = (C2 + (Ci\C0)e373f' = (remember that C( Ci) (C26i3 + (Ci6i3\ 
C(6'3))736'' = (remember that 6I3 is a unifier of and C^) (C2^3 + {Ci9:i\ 
C'20z))lz9' = (note that C^^^3 = C(^^3 Ci9:i) {{C293 +Ci93)\C!,93hs9' = 
(note that ^ C2) {Ci93 + (C2^3\C^^3))73^' = (Ci + (C2\C^))e373^' = 
C6I3736'' = C99'. 

By putting everything together, the inductive hypotheses become |/] [=e 
(Gi, A')6'0' " C99' + T9' and |/] hs (^2, AOfilfii' •> C99' + T9' , from which 
the thesis follows by definition of |=x;; 

- if A = Gi ^ G2, A' and / Ihs Gi, G2, A' ► C ► 61, then by the inductive 
hypothesis we have that |7l |=e (Gi, G2, 1^)99' ► C'^', for every substi- 
tution 9' and fact C ^ C6'. 

Therefore, [/] Gi(96l'. G299' , M 99' > C 9\ and, by definition of the 
judgment, we get |/] (Gi G2, 1^)99' ► C'6''; 

- if A = ±, A', the conclusion follows by a straightforward application of 
the inductive hypothesis. 

ii. By induction on the derivation of |/] |=e A^ ► C. 

- If A = T, A', take C = e, 9' = nil, and a = 9; 
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assume |/] AO-C and AO + C e |/]s = Up^{Insts{I)). Then 
there exist B € I, a, fact V, and a substitution r (defined on S) s.t. 
A9 + C = Bt + P. We can safely assume, thanks to the substitution 
T, that S is a variant of an element in /. Also, we can assume that 
Dom{T) C FV{B) and Dom{9) n Dom{T) ^ 0. 

Now, take the substitution 7 s.t. Dom{"f) = {Dom{9) n FV{A)) U 
/?OTO(r), 

7|Dom(9)ni=^V'(yl) = S\Dom{e)nFV(A) a-nd 7|Dom(r) = 

We have that A'y + C = + P. Let ^' =<; ^ and B' ^ B he two 
maximal sub-multisets s.t. A'j — B'j, p = mgu{A' , B'), and 6' — 
P|FV(.A)uFy(8\B')- By definition of the Ihs judgment, we have that / Ihs 
^►C'«-6»', where C = B\B'. 

As 7 is a unifier for A' ,B' , while p = mgu{A' , B'), we have that there 
exists a substitution a s.t. j — p o a. Therefore, 0\fv{A) — 1\fv{A) = 

(.P°'^)\FViA) = (P|(Fy(^)uFy(»v6')) °'^)|Fy(.A) i^' ° '^)\fv{A)' as re- 
quired. 

Furthermore, since A'y + C = B^ + 2? and A' =4 A, it follows that 
A'-i + {A\A')-i+C = B'7 + (S\6')7+^, i-e., {A\A)i+C = iB\B')-/ + V. 
By this equality and maximality of A' and B' , we get that necessarily 
{B\B')j =4 C (otherwise, {B\B')'-f and (^\^')7 would have elements in 
common). Therefore, C'd'a = {B\B')e'a = {B\B')p<T = {B\B')-f ^ C, as 
required; 

if A = Va;.G, A' and |/] hs,c {G[c/ x], /^')e *■ C, with c ^ E, then by 
the inductive hypothesis there exist a fact C, and substitutions 9' and 
cr (defined over S, c) s.t. 

/Ihs,c G[c/x],A'-C'-0', 

^|FV(G[c/2:],A') = °^)|FV(G[c/2;],A')' ^^^^^ ^' ^' ^ ^ ^- definition of 
the Ihs judgment, we get that 

/ Ihs Vx.G, AVC'^-ei'- 
The conclusion follows (remember that we must ensure that C, 9' and 
a are defined over S) by the following crucial observations: 

■ Dom{9') C (Fl/(G[c/a;], A') U FV{C')) by LemmaE 

• 9' does not map variables in G[c/x\^ A' to the eigenvariable c. In fact 
we know that does not map variables in G[c/a;], A' to c (by hy- 
pothesis) and we know that [9' o o-)|_Fy(G[c/2;],A') ^ ^|Fy(G[c/a;],A') ; 

• 0' does not map variables in C to c and C itself does not contain c. 
In fact we know that C does not contain c (by hypothesis) and also 
that C'9'a ^ C; 

• we can safely assume that Dom{cr) does not contain variables mapped 
to c. Intuitively, these bindings are useless. Formally, we can restrict 
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the domain of a to variables that are not mapped to c: with this 
restriction, the equalities 6'|_Fy(G[c/2:],A') = ° '^)\fv{g[c/x] A') 
Ce'a ^ C stiU hold. 

- assume A = Gi&G2,A' and |/] (Gi & G2A')6' ► C. We need to 
prove that there exist a fact C and substitutions 0' and a s.t. / Ihs 

Gi & G2, A' ► C ► 61', 0\pv{Gi,G2,A') = ° ^)|Fy(Gi,G2,A')' '^'^'^ ^ ^■ 

By definition of we have that 

/ He (Gi,A')0«-C and / He (G2, A')f? «► C- 

By the inductive hypothesis, we have that there exist facts Ci,C2 and 
substitutions 61,62, <7i,cr2 s.t. 

/Ihs Gi,AVCi«>6'i and / Ihs G2, A' ► C2 " 6*2, 

(^\FV{GiA') = (^1 ° f^l)|_FV(Gi,A')' ^|F\/(G2,A') = (^2 o 0"2) _^,) , 

Ci 6*1(71 =^ C and €262(^2 =4 C. 

Now, let Pi ^ Ci and P2 =^ C2 s.t. Vi6iai = V262a2 = Ci^idi nC262<J2- 
Let r be the substitution (6*1 o cti)|^^(q^^^,^^) U {62 o cr2)\FV{G2,A' .02)' 
T is well defined because 61 o cti and ^2 ° o'2 both behave like on vari- 
ables in Fy(Gi, A') n FV^(G2, A'), and Ci,C2 do not have variables in 
common except for variables in Gi, G2, A' (note that new variants of 
elements in / are chosen every time the judgment Ih^ is computed). 

Now, Di and 'D2 are unified by r, because Pit = Vidiai ~ 1)262(^2 = 
V2T. Therefore, there exists 6^ = to(;m(2?i, X'2) s.t. r > 6*3 (6'3 is more 
general than r). Also, r > 6'iCTi > 9i and r > 02O'2 > 62- Therefore, r is 
an upper bound for {^i, 6*2, 6*3 } and there exist 6' = {di t 62 T ^3)|Fy(Gi G 
and a substitution 7 s.t. r = 0' o 7. Now we can apply the definition of 
Ihs (rule for & ) and we get that 

/ Ihs Gi& G2,AVCV6I', 
where C = Ci + {C2\T>2)- Letting cr = 7, we can prove the thesis. 
First of all, since 6'oa = 6'oj = T, and by definition of r, we have that 
^|FV(Gi,G2,A') = ° '^)|Fy(Gi,G2.A')- remains to prove that C'6'a ^ 
C holds. Now, we have C'6'a C'r = Cit+C2t\P2T = CiT+C2r\2?26'2cr2 
= Cit + C2t\(Ci6'icti nC26'2CT2) = Cir + C2T\(CiTnC2T) =^ C. The last 
passage holds because Cit ^ C and C2T ^ C (by definition of r and 
by the inductive hypothesis) and relies on the following property of 
multisets: A ^ V and B 4 V implies A + B\{An B) 4 V; 

- if A = Gi ^ G2, A' of A = _L, A', the conclusion follows by a straight- 
forward application of the inductive hypothesis. 

Proof of Lemma 

i. Assume /i Ihs A ► C ► 6* and h Q h- By item i of LemmaH [/i] M *■ C6. 
By item i of Lemma I/2] ^e A6>'C6. The conclus ion then follows from 
item a of Lemma 01 
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a. Assume [Ji^i -^i "~s A*-C*-9 and Ii Q I2 ^ ■■■■ By item i of Lemma 0] 
lUi^i -^i] A9*-C9, i.e., as it can be readily verified from Definition 15.61 
and Definition 15. 71 IJi^i 1^*1 Hs ► C6. By item ii of LemmaHJ there exists 
k G N s.t. |=s A9*-C9. The conclusion then follows from item ii of 
Lemma 0] 

Proof of Lemma 

i. By simple induction on the derivation of / \\-^-^ A*- C >■ 9. 
ii. By induction on the derivation of |/] |=s A ► C. 

- If |/] T,AfC, immediate; 

- assume [/] A»-C and A+C G |/]e- It follows that there exist Bel, 
a fact V, and a substitution 9 (defined on E) such that A + C ~ 39 + 1). 
Note that B is defined on Sp by definition of (abstract) interpretation. 

Now, [A] + \C] = \A + C] = \B9 + P] = [69] + [V] = (remember 
that B is defined on Ep C Ei) B\9] + [V]. We can conclude that 
1"^] + \C] e (note that S e / and \9], |"2?] are defined on Ei), it 

follows that |7] [^1 ► [^1 ; 

- assume (Ij VxG',A»C and |/] hs,c G[c/x],A>'C, with c ^ E. 
From El C E we get Ei, c C E, c, therefore we can apply the inductive 
hypothesis. It follows that |J] |=Si,c ['-'[c/a^], A] ► \C~\ if and only if 
|/] |=si,c [G[c/a;]], [A] ► [C] if and only if (remember that c ^ E\Ei 
because c ^ E) |/] hsi.c [Glic/x], [A] ► [C]. By definition of h (re- 
member that c ^ E imphes c ^ Ei), we get |/] ^Si Vx. \G~\, [A] »• [C] 
if and only if |7] |=Ej [Vr G, A] [C] (we assume x to be disjoint with 
the variables introduced by the [•] construction); 

- the remaining cases follow by a straightforward application of the in- 
ductive hypothesis. 
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